This blog is a summary and compendium to the SecurityMetrics’ Webinar “How to Protect Your Ecommerce Website Against Skimming”, hosted by Matt Heffelfinger and Aaron Willis.
This blog is a summary and compendium to the SecurityMetrics’ Webinar “How to Protect Your Ecommerce Website Against Eskimming”, hosted by Matt Heffelfinger and Aaron Willis. Check out the video webinar here.
As one of the world's leading compliance, risk, and cybersecurity companies, SecurityMetrics helps businesses of all sizes stay secure and see the threats they've been missing.
We have been in business protecting our clients for over 24 years now. We have developed some of the world’s leading technology that identifies ecommerce threats and helps businesses protect their online shopping cart.
By the end of reading this blog post, you will be able to:
Let’s dive in and answer some of the big questions around protecting your ecommerce site!
SecurityMetrics developed tools to identify this unique attack surface. We call the tools Shopping Cart Inspect (SCI) and Shopping Cart Monitor (SCM).
SecurityMetrics’ ecommerce threat hunters consistently notice strange events happening within ecommerce infrastructure. This includes unauthorized resellers who like to market your company’s products inside their own domain and shopping cart for the sole intent of capturing the credit card. Sometimes they will even offer the customer a better (fake) price. Once the bad guys have the credit card, sometimes they will even create an order on your website using the same transaction data. This way, the customer still gets the product and doesn’t realize anything happened, prolonging the fraud period.
If you have a shopping cart, then more than likely, your business has third party scripts running in your online shopping cart. These scripts may come from your marketing department, finance teams or other divisions in your company who require these scripts to run in order to collect data required for the business to be successful. Therefore the shopping cart can become very messy, really fast with all these scripts operating.
SecurityMetrics Threat Hunters specialize in identifying these compromised 3rd party scripts and plugins. SecurityMetrics products and services like Shopping Cart Monitor (SCM) or Shopping Cart Inspect (SCI) can identify threat actors who gain access into online shopping carts to place their malicious code.
Threat actors continue to compromise a number of the fundamental pieces of shopping cart transactions including things like ad networks, code suppliers, traffic exchanges and business intelligence scripts.
For example, an attacker may pose as a legitimate advertiser in an ad exchange network. However every so often they will submit a malicious script that captures any text data in the browser window or frame where it is executed and then disappears for a long time. This allows them to harvest credit cards from many different merchants’ websites that use that traffic exchange while not setting off any alarm bells that would trigger an investigation and get the party shut down. To a merchant, the only clue you may have that this is happening is a report each month from the card brands or your acquirer that you are constantly leaking a few cards each month.
Another example is when a content delivery network or cdn gets compromised and threat actors corrupt a shared javascript library. If you use that code on your website for legitimate business purposes, a few lines of malicious code is all the attackers may need to steal your customer’s credit card as it is typed in. This compromised code can be extremely difficult to spot or detect.
In addition, threat actors are using dedicated distributed hosts for injection and drop. These bad guys like to send your ecommerce data all over the place. Our team has seen compromised websites where they source the code from a compromised content delivery network. Threat Actors will use the compromised CDN to get the code and then capture the CDN data to send it off to a completely different compromised host.
A threat actor is a bad guy intent on doing harm to your shopping infrastructure usually with the intent of stealing your customer’s credit card data, but their motives can vary.
Generally speaking in the world of ecommerce threat actors, there are at least seven (7) types or varieties of Magecart. The name Magecart is a generally accepted umbrella industry term that really describes a group of attacks or types of attacks on ecommerce infrastructure. You can think of Magecart as organized crime - little groups here, little groups there, or the “Internet mafia”. Their most common goal is to exploit your website to capture any valuable data they can get from it.
Sometimes, if they can't get anything from your site, they may just lock it up with ransomware and hold your ecommerce data hostage.
We know of at least seven (7) varieties of malicious JavaScript code being embedded into your ecommerce platform. It really is a wide net of casting here because they're using automated tools. That was usually MageCart Groups One & Two have now evolved into groups Magecart 3.0 - which often targets high-volume ecommerce environments.
Magecart 4.0 became really advanced. That is where you see attackers going after the analytic providers, ad providers, and mimicking your domain, for example.
And it’s still evolving. We have Magecart 5.0, 6.0, and now 7.0 with more groups still to be identified. Magecart Group Five was responsible for the famous Ticketmaster breach back in 2016.
Today, the latest evolution of ecommerce threats is Magikarp. This includes threat actors who use dedicated hosts for injection and drops, exfiltration, and compromised sites as proxies.
It can be extremely difficult, especially if you do not know what to look for or how to mitigate and correct once found.
It can also be challenging if your business does not know all the plugins or 3rd party scripts running in your ecommerce infrastructure. If you do not have inventory of everything happening in your shopping cart platform, then it can be incredibly hard to find, especially when the checkout process is occurring in the browser.
When it comes to iterative attacks, the attackers are not going to try to get every single card.
Threat actors know that if they grab everything on a large enterprise sized ecommerce site, then they will be detected. The bad guys operation will be shut down fairly quickly. Threat actors will often try to “fly below the radar” by exfiltrating a few credit cards at a time. They want to avoid any possible detection by card brands or the acquirers. Threat actors do not want to be identified as causing a problem on the victim’s website.
Threat actors inject the smallest amount of code to make it as difficult as possible for SecurityMetrics Threat Hunters to identify them.
Additionally, they use triggers that can be based on things like which shipper the customer chooses to use, whether the customer uses a coupon code, or where it's just based on certain IP ranges.
When you compare an ecommerce environment to a point-of-sale (POS) environment you see one glaring difference. The POS environment is typically locked down. If you wanted a script running in a point-of-sale environment, you had to get approval from all over the place.
However in an ecommerce environment, there are many extras that can be placed into your checkout page, including:
All of these extras can create a massive ecommerce attack surface area that bad guys love to exploit.
The amount of ecommerce surface area that attackers can target has grown exponentially over the last decade due to these extras. Every additional source of code is just another doorway and opportunity for the bad guys to exploit.
Online shopping carts have had quite the evolution. At one time, all the web page code came from the merchant's own web server. That has now changed.
Initially, when ecommerce sites went online, there were lots of merchants that could just put a shopping cart in place, such as an off-the-shelf cart where everything was centralized on one server.
Today’s modern online shopping experience for customers mostly happens inside the web browser. This creates a very interesting and broad attack surface to potentially compromise. Shopping cart components often come from upstream suppliers, content delivery networks, tag management systems and a variety of databases.
What really inspired SecurityMetrics to create and develop a tool to find ecommerce threats was based on our two decades of experience in the Payment Card Industry (PCI).
We are world leaders when it comes to compliance, auditing, and risk. We saw these ecommerce threat trends occuring decades before everyone else. Our team of ecommerce experts have been studying these online payment threats while developing the best tools to identify them.
Our approach is unique in how we tried to solve this problem by simulating the transaction process in a repeatable way. Threat actors have grown exceptionally skilled at detecting any security measures present and deploying countermeasures to steal data without detection.
We find iterative attacks by not only examining third-party script suppliers, but also expanding the attack surface area to include the full scope of potential threats, in such a way that the bad guys do not even know we are there.
To see an example of how SecurityMetrics detects ecommerce threats, such as what happens via a third-party exploit, watch the webinar at 15:37.
The video shows that when a customer inputs their ZIP code on a particular site, the shipping plug-ins would activate so that the customer would know how much each of the shippers would charge, and they can select whichever shipper they want.
The merchant had a discount shipper on there, which was fairly new to the game. But that shipper had a compromise on their website. So whenever the merchant's website would call that plug-in to get the shipping code, it would just bring over a little bit of malware.
And it's just a couple of lines of JavaScript in the thousands of lines that were being called.
In this particular case, the malware only activates when you choose one particular shipping. So this example shows, “it’s not the big dogs” it is only if I select “ship to you,” that is when the malware gets loaded.
The malware was able to get in and grab that card data when we chose the “ship to you” option.
This is absolutely fascinating from a threat identification perspective. In this case, this was particularly scary because there was no compromise really on the merchant's website. The attackers did not actually get into the merchant’s site, instead they accessed the plugin that the site is using which is located off the merchant's website.
This plugin was only introduced into the browser at the moment of checkout. As soon as the customer clicked on that shipping option, the malware was called.
The attackers will attempt to take advantage of any code, plugin, or 3rd party script that's inside your online shopping cart. For example, if they can get in and find an exploitable coupon database, then they will target that database.
Threat Actors goals can change, however initial access generally indicates they will target any weakness they can find that is potentially exploitable.
It gets really difficult for even experienced threat hunters to detect what is going on because you have to be there right when that trigger fires, which is difficult because it is often a random trigger.
Tools like File Integrity Monitoring (FIM is offered by SecurityMetrics) can be a huge threat detection advantage and is a PCI DSS requirement.
SecurityMetrics FIM runs on the server side. When FIM is set up and configured correctly, it will alert your staff anytime those core configuration files or checkout pages are changed on the server side.
However, it is imperative that a skilled person is watching the FIM logs. So many times, SecurityMetrics’ forensics team has found early evidence of an attack in file integrity logs, but nobody was paying attention and it went undetected. Many times, the merchant believes their host or outsourced IT staff is monitoring. All too often, this is not the case.
Make sure you understand who’s responsible for log monitoring for all relevant logs.
Utilizing automated patch management tools or following patching best practices can help too. At the end of the day, even if you have FIM and Patching, along with basic ecommerce cyber hygiene practice being followed, you will still have 3rd party code running inside the shopping cart that will need to be regularly inventoried and assessed. You must ensure you are scanning for the 3rd party code and regularly looking for eskimmers.
Other recommendations include having a content security policy, CSP, and SRI. These can help, but realize they are often very complicated. Many times, we see large sized enterprises not utilizing these tools to their fullest potential.
So the big question remains, what are your options or solutions when all these business units say they need these 3rd party scripts to help the business
Protecting your business is really about doing what's best for your business.
We often explain to our clients that it is very important to strike a balance between what's necessary to protect your business, generate the required ecommerce data analytics and to operate within your budget. Your budget really needs to reflect the value of your data, and the risk to your company.
If you're a big enterprise sized company, you've got valuable data layered in many areas, often required by the various business units or departments.
Many companies are also leaning on AI more and more to identify ecommerce threats and inventorying all those 3rd party scripts. AI can be a positive tool, but can also bring a ton of drawbacks. AI is at a point where it can generate a lot of code, but it is by no means a replacement yet for skilled knowledge of ecommerce threat hunters.
A typical effective shopping cart security implementation will include a combination of the following:
Your goal is to eliminate doorways and opportunities for threat actors to grab that card. You want to force the attacker to be right there at that moment to help your team identify their activity. You want your security partner to be there at that moment as well. That's really the beauty of SecurityMetrics Shopping Cart Monitor (SCM) and Shopping Cart Inspect (SCI). A partner like SM can do so much to ensure your check out process is protected and functioning correctly.
The recommendations listed above should be part of any robust ecommerce security plan. Additionally, you are encouraged to follow these additional recommendations:
Ecommerce threats require advanced knowledge and eskimmer education for staff. Enhancing your staff's current knowledge of the tactics, techniques and processes that threat actors like Magecart uses will help. Ensure your staff is well aware of these different doorways and initial access points that Magecart utilizes.
SecurityMetrics offers a FREE weekly threat intelligence email which can be signed up for here. This weekly email will highlight all the ecommerce threat actor news to keep you and your team informed and empowered to fight back. We feature all the latest shopping cart ecommerce threats that are in the news so you're ahead of the story before it happens to you. And it's completely free. There's no cost to you to sign up for it. Education and awareness are a critical piece of our emails. We tailor the information in there to cover cybersecurity topics with special emphasis on the latest skimmer threats.
At the enterprise level, getting a baseline or idea of what ‘normal’ looks like in your online shopping cart is vital. In PCI DSS v4.0, requirement 6.4.3 addresses exactly this baseline issue. You must know what scripts are running in your shopping cart, especially when credit card data is present. You need to know if there are ad networks running or traffic exchanges, business analytics scripts, or anything there that could potentially have access to that card data.
You've got to know what it is and what it looks like when it's running. If you get that baseline, it's a whole lot easier to spot anomalies that happen. Not knowing what's even happening in your environment and not having a baseline is a really hard spot to be in. It is critical to get that baseline and it's really inexpensive to do.
SecurityMetrics Shopping Cart Inspect (SCI) generates a report which is provided to you with the EXACT 3rd Party exact scripts that we identified as being potentially malicious or suspicious. Shopping Cart Inspect Reports will help you identify your ecommerce strengths and weaknesses, so that you have an actionable item. SecurityMetrics Threat Hunters will identify your ecommerce vulnerabilities that we think might be exploitable on your website. If malware is found, we can work with you to formulate a plan to get those holes plugged so that you're not dealing with this again six months later.
That's a common misconception. At the end of the day, it's your account. It is your responsibility.
There are all kinds of third-party agreements and we see lots of third parties that claim to be PCI compliant. But when we dig into a breach, we find out that they're not, even though they're advertising that they are. So if you're using these 3rd Party services, always do due diligence. Make sure that it clearly delineates whose responsibility belongs to which party.
We see it especially with logging, where a staff member thinks someone else is handling the logging and they are not. Ask them. Confirm. Get it in writing.
Get started early. Don't wait until the requirement is mandated. Start getting those things in place now because it can be complicated.
Consider outsourcing this activity to a company like SecurityMetrics. SecurityMetrics offers Shopping Cart Monitor (SCI) which specifically addresses 6.4.3 and 11.6.1. Make sure that the integrity is there.
Verify that any 3rd Party plugin that you're calling has code that it actually gets imported onto your website correctly.
If something changes in the code, you need to know about it so you can vet those changes.
We mentioned it before, but remember these are the iterative attacks.
Iterative attacks are hard to detect because they fly under the radar. The attack may come from a 3rd Party plugin that you whitelisted.
REMEMBER: if you have multiple 3rd Party service providers on your checkout page, then you need to vet those before you use them.
If you whitelist those providers and think that that code is all legitimate, YET you are still finding evidence of compromise including loss of credit card data, then it is time to thoroughly look at all of your 3rd party suppliers.
Many times most of those 3rd Party scripts or plugins are not really necessary or required to be on the checkout page. Consistently, SecurityMetrics Threat Hunters see analytics scripts or traffic exchanges including other 3rd Party code running when it really could be moved out of that process.
YES! We created a second webinar that is specifically tailored for small to medium sized business owners including their IT staff. That webinar is designed with less technical jargon and at a slower pace. You are welcome to check that out here.
With the sheer complexity of the modern ecommerce transaction, enterprise clients need to be fully aware of what is happening during the checkout process and regularly vet each component of that process. Attacks can come from anywhere at any time and no one is immune. Even if you have outsourced the checkout process to your payment gateway and never even see a credit card number, the responsibility for protecting your customer’s transaction data cannot be transferred. If it is your merchant account and credit card data is stolen, you will be left holding the bag when all the chips fall.
Many payment security solutions leave a gaping hole in browser side security that attackers are exploiting with increasing skill and stealth. There is no shortage of times our investigations have found merchants with the biggest, baddest, and most expensive solutions that have no eyes on the transaction process at the exact moment the customer is typing in their credit card. You need a solution, such as Shopping Cart Monitor, that is purposely created to protect that exact moment when the customer’s credit card is most vulnerable.
If you’d like to learn more about SecurityMetrics Shopping Cart Monitor (SCM) or Shopping Cart Inspect (SCI), give us a call. We will gladly show you and your staff exactly what we learned from decades of protecting customer transactions.
You can also watch the video version of this webinar here.
.svg)
