FBI
Warns
the
Public
About
E-Skimming
DETROIT
- Any
business
accepting
online
payments
on their
website
is at
risk of
an
e-skimming
attack.
E-skimming
is the
process
of cyber
criminals
introducing
skimming
code on
e-commerce
payment
card
processing
web
pages to
capture
credit
card and
personally
identifiable
information
(PII)
such as
your
name,
date of
birth,
account
numbers,
passwords,
and
location
information.
Once the
information
has been
stolen,
it is
sent to
a domain
under
the
control
of the
criminal.
This
threat
has
impacted
e-commerce
companies
in the
retail,
entertainment,
and
travel
industries
as well
as
utility
companies
and
third-party
vendors.
E-skimming
is also
commonly
targeting
third-party
vendors
such as
those
who
provide
online
advertisements
and web
analytics.
The
cyber
criminals
are
evolving
their
tactics
and have
also
been
seen
using
malicious
code
that
targets
user and
administrative
credentials
in
addition
to
customer
payment
information.
The
increasing
sophistication
of these
fraudsters
could
expand
the
e-skimming
threat
to other
types of
businesses,
including
the
health-care
industry.
How does
it work?
Skimming
code is
introduced
to
payment
card
processing
websites
by:
•
Exploiting
a
vulnerability
in the
website’s
e-commerce
platform
•
Gaining
access
to the
victim’s
network
through
a
phishing
email or
brute
force
attack
of
administrative
credentials
•
Compromising
third-party
entities
and
supply
chains
by
hiding
skimming
code in
the
JavaScript
loaded
by the
third-party
service
onto the
victim
website
• Cross
site
scripting
which
redirects
customers
to a
malicious
domain
where
JavaScript
code
captures
their
information
from the
checkout
page
The
malicious
code
captures
credit
card
data as
the end
user
enters
it in
real
time.
The
information
is then
sent to
an
Internet-connected
server
using a
domain
name
controlled
by the
actor.
Subsequently,
the
collected
credit
card
information
is
either
sold or
used to
make
fraudulent
purchases.
What are
the
Warning
Signs?
•
Complaints
of
fraudulent
activity
on
several
customers’
accounts
after
making a
purchase
from
victim
company
•
Identifying
a new
domain
not
known to
be
registered
by the
victim
company
•
JavaScript
code on
victim
company
webpages
or added
by
authorized
third
party
vendors
has been
edited
How Can
You
Minimize
the
Risk?
Because
it is
difficult
for
consumers
to
identify
a
compromised
website,
the
responsibility
for
protecting
the
public
from the
risks of
e-skimming
falls on
the
e-commerce
companies.
The FBI
recommends
taking
the
following
precautionary
measures
to
mitigate
the
threat
of
e-skimming
attacks:
•
Perform
regular
updates
to
payment
software
•
Install
patches
from
payment
platform
vendors
•
Implement
code
integrity
checks
• Keep
anti-virus
software
updated
• Ensure
you are
PCI DSS
compliant
•
Monitor
and
analyze
web logs
What Can
You Do
If You
Are a
Victim?
•
Identify
source
of
skimming
code to
determine
access
point –
network,
third
party,
or other
• Save a
copy of
skimming
script
or
malicious
loader
domain
to
report
to law
enforcement
• Change
pertinent
credentials
•
Contact
law
enforcement
• File a
detailed
complaint
at
www.ic3.gov
and
review
additional
resources
under
the
“Press
Room”
link
If you
believe
you have
been a
victim
of
e-skimming
or other
cyber
fraud
activity,
please
contact
the
FBI’s
Detroit
Division
at
313-965-2323
or
report
it to
the
Internet
Crime
Complaint
Center (www.ic3.gov).
|