Online skimming – 5,925 online stores affected

Security specialist Willem de Groot has recently released an update of his research about online skimming targeting e-commerce websites worldwide. In November 2015, when the new card fraud was discovered, the researcher scanned around 255k worldwide online stores and detected 3,501 affected websites. In September this year, the figure rose to 5,925 – meaning that online skimming attacks jumped 69% in ten months.

What is online skimming?

Online skimming is a fairly new procedure to steal credit card data from e-commerce websites. By exploiting unpatched vulnerabilities affecting online stores, cyber criminals install malicious JavaScript code to exfiltrate credit card numbers to an off-shore server without customers or merchants noticing.

The fraud is getting professional

In 2015, all cases involved the same malware family – albeit with some minor variations to the base code – the security specialist has now found at least 9 varieties and 3 different malware families in his latest research, meaning that there is more than one group of cyber criminals behind the scam.

How to protect e-commerce stores from online skimming

The number one recommendation is to keep software regularly updated and patched for new vulnerabilities. This is more than a recommendation, though: it’s one of the requirements of the Payment Card Industry Data Security Standard (PCI DSS): “Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”

Meet all the requirements of the PCI DSS

Stay ahead of cyber criminals with accurate and comprehensive vulnerability scanning and penetration testing services from IT Governance. As an approved QSA company, IT Governance meets a number of rigorous business and technical requirements as specified by the PCI SSC, and is able to help companies meet the requirements of the Standard.

Contact us on servicecentre@itgovernance.co.uk or call +44 (0)845 070 1750 for a consultation.