Press Release

Two Leading Cybersecurity Organizations Issue Joint Bulletin on Threat of Online Skimming to Payment Security

PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC Join Forces to Highlight Growing Threat

Washington, D.C., August 1, 2019 – Today the PCI Security Standards Council and the Retail & Hospitality ISAC issued a joint bulletin to highlight an emerging threat that requires urgent awareness and attention.  The full bulletin can be viewed here.

What is the threat?

A growing threat that all merchants and service providers should be aware of is Web-based or Online Skimming.  These attacks infect e-commerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers and are very difficult to detect. Once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumer being aware that the information has been compromised.

A term sometimes used in the press for this threat is Magecart.  Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.

How do these attacks work?

These threat actors use various methods, which include exploiting vulnerable plugins, brute force login attempts (credential stuffing), phishing and other social engineering techniques, all in an attempt to gain access and inject malicious code.  These attacks are either directly into e-commerce websites or often into a third-party’s software libraries that merchants rely upon.  These service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.

Examples of these attacks to third-party applications and services include advertising scripts, live chat functions, and customer rating features. Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites. Because these third-party functions are typically used by multiple e-commerce sites, the compromise of one of these functions can allow an attacker to compromise many websites at the same time through mass distribution of the malicious JavaScript.

The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.

Who is most at risk?

Any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. Attacks target e-commerce websites, third-party service providers, and companies providing applications used on websites. Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets, and exploiting vulnerabilities in unpatched website software.

Additionally, the threat is persistent.  One in five Magecart-infected stores are re-infected within days, according to a report by security researcher Willem de Groot1. For that reason, it is crucial that affected systems be cleaned and that underlying vulnerabilities be patched or mitigated. If an underlying vulnerability is not addressed, or if some of the attacker’s code remains on the system, it could lead to reinfection.

What are some DETECTION best practices?

  • Use of vulnerability security assessment tools to test web applications for vulnerabilities
  • Use of file-integrity monitoring or change-detection software
  • Performing internal and external network vulnerability scans
  • Performing period penetration testing to identify security weaknesses

What are some PREVENTION best practices?

  • Implement malware protection and keep up to date
  • Apply security patches for all software
  • Restrict access to only what is absolutely needed and deny all other access by default
  • Use strong authentication for all access to system components

On-the record quotes from Troy Leach, Chief Technology Officer, PCI Security Standards Council:

“We have heard from many of our stakeholders in the payment community that these types of attacks are a growing trend for many businesses, large and small.” said Troy Leach, Chief technology Officer (CTO) of the PCI Security Standards Council.  “We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the retail and hospitality sector who battle these threats daily.”

“There are ways to prevent these difficult-to-detect attacks however,” said Leach.  “A defense-in-depth approach with ongoing commitment to security, especially by third-party partners, will help guard against becoming a victim of this threat.”

“Following PCI SSC standards and guidance such as regular review of software and closely monitoring changes in the environment, can help defend against these attacks.”

“Now more than ever, organizations need to make cybersecurity an everyday priority,” “These attacks can hit a business both large and small.  Everyone needs to understand they are a target and they need to have a plan to protect their data.”

On-the-record quotes from Carlos Kizzee, Vice President, Intelligence, Retail and Hospitality ISAC

“These attack techniques are of increasing significance to the retail and hospitality industry,”

“It is important that businesses grow in their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them.”

“We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”

“The bulletin we are jointly issuing today should be a call to action to those in the business community to enhance their awareness of and vigilance against these techniques.  No one should presume that they couldn’t or won’t be used to target their enterprise.”

###

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.

About the Retail and Hospitality Information Security and Analysis Center

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) operates as the trusted community for sharing sector-specific cyber security information and intelligence. The RH-ISAC connects information security teams at the strategic, operational and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for the retail and hospitality industries through collaboration. RH-ISAC currently serves retail, hotels, restaurants, gaming and other consumer-facing entities. To learn more, visit www.rhisac.org and follow on Twitter: @RH_ISAC and LinkedIn


  1 Catalin Cimpanu, one in five Magecart-infected stores get reinfected within days, November 15, 2018 — 06:30 GMT, https://www.zdnet.com/article/one-in-five-magecart-infected-stores-get-reinfected-within-days/