FBI Warns the Public About E-Skimming

DETROIT - Any business accepting online payments on their website is at risk of an e-skimming attack. E-skimming is the process of cyber criminals introducing skimming code on e-commerce payment card processing web pages to capture credit card and personally identifiable information (PII) such as your name, date of birth, account numbers, passwords, and location information. Once the information has been stolen, it is sent to a domain under the control of the criminal.

This threat has impacted e-commerce companies in the retail, entertainment, and travel industries as well as utility companies and third-party vendors. E-skimming is also commonly targeting third-party vendors such as those who provide online advertisements and web analytics. The cyber criminals are evolving their tactics and have also been seen using malicious code that targets user and administrative credentials in addition to customer payment information. The increasing sophistication of these fraudsters could expand the e-skimming threat to other types of businesses, including the health-care industry.

How does it work?

Skimming code is introduced to payment card processing websites by:

• Exploiting a vulnerability in the website’s e-commerce platform

• Gaining access to the victim’s network through a phishing email or brute force attack of administrative credentials

• Compromising third-party entities and supply chains by hiding skimming code in the JavaScript loaded by the third-party service onto the victim website

• Cross site scripting which redirects customers to a malicious domain where JavaScript code captures their information from the checkout page

The malicious code captures credit card data as the end user enters it in real time. The information is then sent to an Internet-connected server using a domain name controlled by the actor. Subsequently, the collected credit card information is either sold or used to make fraudulent purchases.

What are the Warning Signs?

• Complaints of fraudulent activity on several customers’ accounts after making a purchase from victim company

• Identifying a new domain not known to be registered by the victim company

• JavaScript code on victim company webpages or added by authorized third party vendors has been edited

How Can You Minimize the Risk?

Because it is difficult for consumers to identify a compromised website, the responsibility for protecting the public from the risks of e-skimming falls on the e-commerce companies. The FBI recommends taking the following precautionary measures to mitigate the threat of e-skimming attacks:

• Perform regular updates to payment software

• Install patches from payment platform vendors

• Implement code integrity checks

• Keep anti-virus software updated

• Ensure you are PCI DSS compliant

• Monitor and analyze web logs

What Can You Do If You Are a Victim?

• Identify source of skimming code to determine access point – network, third party, or other

• Save a copy of skimming script or malicious loader domain to report to law enforcement

• Change pertinent credentials

• Contact law enforcement

• File a detailed complaint at www.ic3.gov and review additional resources under the “Press Room” link

If you believe you have been a victim of e-skimming or other cyber fraud activity, please contact the FBI’s Detroit Division at 313-965-2323 or report it to the Internet Crime Complaint Center (www.ic3.gov).