Web skimming attacks did not see a big spike during COVID-19 quarantines
The current coronavirus (COVID-19) quarantine periods imposed all over the globe have forced a large portion of the world's population towards online shopping.
But despite amid a dramatic rise in the number of people using online stores to buy food and supplies during this outbreak, security researchers did not see a sudden spike in the number of hacked online stores that contain web skimming malware.
Web skimming, also known as e-skimming or Magecart attacks, is a type of security incident where hackers breach online stores to plant malicious code that steals a user's payment card details while the card data is entered in checkout forms. These types of attacks have become popular with criminal groups around 2017-2018.
ZDNet interviewed this week researchers from Malwarebytes, RiskIQ, and Sanguine Security, today's most active security firms in tracking web skimming infrastructure and hacked online store, in order to get their thoughts on how the sudden surge of users shopping online has impacted the web skimming scene, and will evolve in the future.
Web skimming attacks over the past few months
While data and opinions varied from company to company, two of the interviewed companies did not report any sudden spikes in activity.
Data gathered by Sanguine Security shows a slight decrease in the number of active skimmers (hacked online stores) during the recent COVID-19 outbreak period.
Jerome Segura, a threat intelligence analyst at Malwarebytes, told ZDNet that Malwarebytes also did not see a sudden increase in the number of hacked online stores and web skimming infrastructure during the month of March.
The only dissenting stats came from RiskIQ, the company that coined the term "Magecart attacks."
"So far in March, we've seen an uptick in our skimming detections of about 20% in comparison to February," Jordan Herman, threat researcher at RiskIQ, told ZDNet in an email.
However, all three said they expect the number of incidents to rise. Furthermore, because there are now more users shopping online, the number of users that had their card data stolen on hacked stores is also much larger than usual, and will most likely going to increase going forward.
This is already visible for Malwarebytes, the only of the three companies that also runs an antivirus solution.
While Sanguine Security and RiskIQ can only track hacked servers, Malwarebytes is in the unique position of detecting when a user visits a hacked store -- and alert the user via a popup.
Segura told ZDNet that while the number of hacked servers has remained the same in March, the number of web skimming-related prompts -- shown to users -- has increased.
"Not only do people shop online more right now, but folks who never did are starting to as well. This category of online shoppers is perhaps the biggest opportunity for criminals because of their lack of awareness of the risks involved," Segura said.
Current web skimming campaigns
As for the current web skimming scene, Sanguine Security and RiskIQ have an update.
"There are multiple [web skimming] groups active in this space, and they have distinct strategies," Willem de Groot, CEO and founder of Sanguine Security, told ZDNet.
"Some run fully automated campaigns to infect as many stores as possible. I don't think they will change their tactics because of COVID-19," de Groot added.
"However, more sophisticated actors run manual campaigns against targeted, larger stores. It makes no sense to spend weeks hacking into stores that have plummeted revenue (such as luxury products). I expect them to quickly shift to more profitable sectors, such as DIY, pet supplies, foodstuff."
Still, even if there are more sophisticated actors that target larger stores, RiskIQ says that most web skimming attacks will go after the online stores of small-to-medium businesses (SMBs), rather than the big brands.
"Every now and then we see a well-known brand affected by Magecart, but almost all of our skimming detections are on small or medium businesses' websites," Herman said. "They make easier targets because they have fewer IT resources than larger companies."
It's these smaller online stores where users need to be careful when shopping online. While eBay or Amazon can invest in securing their stores, the smaller niche shops are where hackers usually hackers plant web skimming code, and where users need to be careful.
Basic protection measures
Unfortunately, detecting the presence of malicious web skimming code on a website is a tough job that even security researchers are struggling with -- primarily due to the increased sophistication of the code involved.
"It is not possible for consumers to detect a store with skimming code," de Groot said. "But consumers are very much able to limit any potential damage."
"We recommend using a payment method that requires two-factor authentication or the use of 'disposable' or 'virtual' credit cards that can only be used a single time."
Herman also recommends that buyers use solutions like Apple Pay, PayPal, and other third-party payment providers, as users won't have to enter their card details on the vulnerable stores, hence, avoid having the data stolen.
Another option is to use an antivirus, according to Segura. Just like Malwarebytes, other antivirus software comes with support for detecting compromised online stores. The solution is not perfect, as recently hacked stores take some time to detect and add to a database of hacked sites, but an antivirus popup is better than nothing, and can help users with stores that fail to remove the malicious code in a timely manner.
All in all, web skimming attacks have been around for years, and users need to develop new habits when shopping online that adapt to this new threat, regardless of the current COVID-19 outbreak.
Article content and title updated as Malwarebytes and RiskIQ wanted to update and clarify initial statements.