In February 2019, it was reported that data for 620 million accounts stolen from 16 hacked websites was being sold on the dark web. Last year we saw at least 1,000 websites running on the Magento platform targeted via brute-force attacks to steal payment card data and install crypto-mining software. This malware attack was said to have hijacked 50 to 60 new online stores per day over a two week period.
In 2018, Ticketmaster experienced an attack that exploited a vulnerability in the site’s Javascript code and extracted customers’ payment information as they were purchasing tickets. And just last month, Nebraska Book Company and PrismWeb reported an online payment card skimming attack known as Magecart that allowed hackers to swipe payment card information as it was being entered into the payment page.
Are hackers shifting their focus to ecommerce sites in order to steal customer payment information? Research released last year by Thales eSecurity found that 50 percent of all medium and large online retailers it surveyed acknowledged they had been hacked. That figure was more than two and a half times higher than a year earlier. The 2019 Verizon Data Breach Investigation Report released last month revealed that web application-based payment card fraud is going to overtake non-web application fraud in the near future.
Symantec’s annual Internet Security Threat Report highlighted form-jacking, or the use of malicious JavaScript code to steal payment card details and other sensitive information on the checkout pages of ecommerce sites. That report detailed that, on average, more than 4800 unique websites are compromised each month.
Why are we seeing an increase in ecommerce hacks? Symantec’s report shows that cyber criminals are starting to see a greater return from payment card data stolen online. In fact, this information can be worth more than double of the average price for card present information. A single card number with the CVV is sold for up to $45, giving cyber criminals more incentive than ever to target ecommerce stores. With just a few simple lines of code inserted into a website, it is estimated that cyber criminals likely made at least tens of millions of dollars in 2018 from this type of attack.
Another big reason for the recent increase in ecommerce fraud is that EMV, or chip-enabled cards, are now making it more difficult for hackers to steal card present data. This same shift occurred in other countries that made the chip transition sooner (i.e. Australia, Canada, France, and the United Kingdom).
How are payment sites hacked? In a typical online intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted scripts to upload malicious code that steals customer payment details directly from the site before it can be encrypted and sent to card processors. Many ecommerce businesses rely on vendors to support hosting, data storage, point of sale maintenance, and payment processing needs. This does not take all compliance and security responsibilities away from your organization, and it is very important for you to vet and approve all service providers for compliance and security before agreeing to use their services, and monitor compliance status ongoing.
Ecommerce retailers need to be increasing their defenses and continually monitoring for suspicious activity. You can more effectively mitigate the aftermath of a data breach by proactively implementing multi-layered defenses and adhering to security standards. In the PCI world, based on how you are taking payments and where/who is hosting the payment page, you will be eligible for either the SAQ A or the SAQ A-EP. Take a moment to review the security controls within these SAQs to see if you are proactively protecting your customers’ information online. You may also want to keep in mind that Version 4.0 of the DSS is slated to be released early next year and many payment experts are projecting additional guidance and requirements for ecommerce merchants. Even if you are eligible for the SAQ A as a merchant, you may want to consider implementing some of the basic information security controls from the SAQ A-EP as a best practice.
Some additional guidance from the Offensive Security team:
[Sullivan]: Most computer-based attacks are motived by financial gain which puts e-commerce retailers and their payment providers in the cross-hairs. Even if you use a third-party vendor for the handling of customer payment information, a host of vulnerabilities and insertion points on your site could lead to incremental attacks that go largely unnoticed by your staff, or large scale attacks that can cause severe financial and reputational damage to your organization. A full- scope web application penetration test can help to identify these issues and provide a real world look at the impact to your organization.
