How to Defend Against E-Skimming Cyber Attacks

IT support, cyber attack, credit card scamming, hacking

As one of the ubiquitous car commercials says during the holiday season, “Make it a December to remember.” This year, however, won’t be as memorable for buying your spouse that Lexus or Mercedes they always wanted, but more for how we all are buying holiday gifts this year.

The normal end of year gift purchases have been moving online and away from brick and mortars for years. This year will see its largest increase yet as people are forced to stay home and avoid crowded malls and department stores.

It’s estimated that online sales figures will hit almost $190 billion in the last two months of this year which marks a remarkable, if not quite unexpected, increase of 33% over 2019.

Today, instead of bundling up and fighting for parking spots and the best deals, we’ll stay cozy and curled up on our couches. That way, we’ll let our fingers do the legwork finding the perfect gifts at the most promising prices.

Obviously, with the explosive advancements that have taken place in wireless technology, there is no longer the need to visit the old-fashioned brick and mortar stores anymore.

Within minutes, we can visit an online store and pick out products we want. A few clicks of the mouse later, we make our payment and select how it will reach the recipient with the guidance of IT services.

Best of all, with any web-enabled device, we can do our online shopping from anywhere and anytime we want to.  While all of this may sound great, this is also the season for the Cyberattacker to come out and launch various threat vectors in an attempt to steal your credit card information and other forms of Personal Identifiable Information (PII) without you even knowing about it. Until it is too late.

One such attack is known as “E-Skimming”.

How E-Skimming Works

E-Skimming typically preys upon the online stores of merchants that have a virtual presence.  For instance, when we visit an online store, we always assume that the site is safe to visit, and that precautions have been taken to not only protect our identity, but our financial information as well. But this is far from reality.

The Cyberattacker uses this threat variant in such a way that it is very covert and is also a very difficult action to spot at first glance.

In an E-Skimming attack, the Cyberattacker implements a special programming software which is technically known as the “Skimming Code”.  These are very often deployed at the last stage of the online shopping process, which is the checkout stage.

This is where we enter our credit card information or other kinds of banking data in order to make payment for the products that we are intending to purchase.  By making use of this specialized code, the Cyberattacker can very easily capture all of this and use it for their financial gain.

Or, they could even sell this data on the Dark Web, where another Cyberattacker could procure them and make fraudulent purchases on a massive scale.  There are a number of ways that the Skimming Code can be installed, which include the following:

  • Taking advantage of an unknown weakness or vulnerability of the E-Commerce platform that is being used by the merchant.
  • Gaining access into the network structured platform that is used by the victim by sending out a Phishing Email in which they are tricked into clicking onto a malicious link or downloading a file which contains malware (in this case, it would more than likely be a Key-Logging software application).
  • Attaching this code onto the JavaScript that is being used by the online store.
  • Launching a Cross Site Scripting (XSS) Attack in which the victim is tricked and redirected to phony, but very authentic looking payment processing site where the malicious JavaScript has been installed.

E-Skimming is also more specifically known as “Magecart Attacks”, and this term refers to the consortium of Cyber attackers that carry out and launch this kind of threat vector assault exclusively.  There are 7 known groups involved with this and it’s important to understand ways to make your online shopping experience safe – especially during the holidays, but every day as well.

How To Avoid Being A Victim

In the end, anybody is prone to becoming a victim of an E-Skimming Attack.

“Despite all the preventative measures that an online merchant and their managed service provider takes to protect their customers, there is still no guarantee that this will not happen,” admits Chad Lauterbach, CEO of Los Angeles-based IT support company, Be Structured. “But there are a number of steps that you can take to help mitigate the risks of this happening to you.”

Here are a few ways to protect yourself:

  • Always, check your credit card and banking information on a daily basis.  Don’t just simply wait to get the paper statement, get an online account so that you can view all activity at least 2-3 times a day.  This may sound a little excessive at first, but the sooner you can catch any sort of fraudulent activity, the better off you will be.  Most transactions are recorded in real time on these portals as they occur.
  • When making an online purchase, never use a debit card.  If the information on this has been hijacked and compromised, you are responsible for the entire financial loss.  But, if you use a credit card instead, your losses are limited to only $50.00, which is stipulated by federal law.
  • Try not to enter your credit card or other banking information in large frequencies.  You should only shop at those online stores that are the most reputable, and that also give you the option to store your financials in a safe and secure manner.
  • If possible, try to make use of a mobile wallet, primarily that of ApplePay.  With these kinds of applications, your credit card information is stored securely, and never has to be entered again as you make payments online.  But the caveat here is that the online store must support this kind of payment mechanism.
  • Never click on any sort of pop ad that instantly appears in your web browser.  More than likely, this is another vehicle that is being used to deploy the malicious E-Skimming Code.
  • If you are using your Smartphone for your online shopping, make sure you can use Multi Factor Authentication (MFA) on it.  This is where you are required to present more than just one type of credential in order to confirm your identity.
  • Always use strong passwords that are difficult to guess.  In this regard, consider seriously making use of what is known as a “Password Manager” such as LastPass.  These are software applications that enable you to create long and complex passwords and store them for you in a secure repository, so you do not have to remember them.  Best of all, your passwords can be reset automatically, without any intervention needed on your part.
  • Consider freezing any credit that you may have with the three major reporting bureaus (which are Equifax, Experian and TransUnion) to prevent any new accounts being opened up with your PII, just in case that you do become a victim of Identity Theft.

“The bottom line is be smart and safe when you buy online,” asserts Lauterbach the founder of a leading Los Angeles IT support company. Look for websites that use the URL prefix https:// instead of those that only show http://. That “s” in the previous URL signifies the website is “secure” and provides greater security assurance that your data will be safe.

Especially during the holiday months where buyers are most susceptible to letting their guards down, it’s important to not be suckered by unknowing emails or random pop-ups. Do some research and only shop at the sites that have the greater IT support infrastructure to assure a safe and secure experience.

By all means take the stress out of the holidays, but keep a close, vigilant eye on your online credit card statements to assure what they think you’ve purchased, you really have.

About Chad Lauterbach

CEO at Be Structured Technology Group, Inc. a Los Angeles based provider of Managed IT Services for small business. I desire to help small businesses better utilize technology by assisting in high level planning to make sure that new systems will benefit them both operationally and financially. I am careful to implement and support systems using industry best practices.