The Rise of Web Skimming: Protect Your Business and Customers

Who should read this?

• Individual users – Consumers who regularly shop from online websites.
• Organizations – E- commerce businesses that store customer payment information.
  

What is web skimming?

Web skimming happens when cyber criminals sneak harmful code into a website, usually on checkout or payment pages. This code secretly collects information such as credit card numbers and sends it to the attackers, often without the website owner or the customer knowing. This stolen data is then used for fraud or sold online.
For example:

• Casio UK: The Casio’s UK website was recently attacked. Malicious code was embedded to steal credit card information from buyers.
• Magento stores: Many online stores built on Magento have been targeted because the software is sometimes outdated or has security weaknesses.

Why does this happen?

1. Weak third-party tools: Websites often rely on external services for payments or tracking. If these services aren’t secure, hackers can exploit such weaknesses to steal customer data.
2. Outdated software: If a website’s software or plugins aren’t updated, they may have weaknesses that hackers can exploit to add malicious code.
3. Lack of website security: Some websites don’t have the latest security defenses in place, making it easier for attackers to sneak in.

What’s the risk to your business?

• Financial data theft: The biggest risk is that attackers steal people’s credit card information, which they can use to make fraudulent purchases or sell online.
• Damage to reputation: If customers find out their information was stolen from a website, they may lose trust in the business, which can hurt its reputation and sales.
• Legal and financial consequences: Businesses can face lawsuits or fines if they fail to protect customer data properly. Some regions have strict rules about how to safeguard information and not following them can lead to serious penalties.

How to stay safe?

For online shoppers

1. Don’t save payment details on websites – Avoid saving your payment information on websites, even if they offer the option to do so. By not saving your details, you reduce the risk of your sensitive information being exposed if the site is compromised by a web skimming attack or other security breaches.
2. Be cautious of browser autofill – While convenient, autofill settings can expose your payment details to malicious scripts. Turn off autofill for payment fields to avoid accidental data leaks.
3. Ensure to clear browser cookies – Periodically clear cookies and cache from your browser to reduce tracking by third-party scripts. While it’s not a complete solution, it can lower the chances of skimming scripts targeting you.

For e -commerce business owners

1. Focus on data minimization – Limit the data you collect and store from customers. The less sensitive data you have, the less there is to steal. This helps reduce the scope of any potential breach.
2. Limit what third parties can see – Be mindful of how much customer data you share with other companies (like payment processors or marketing platforms). Only share what’s necessary for the service and consider anonymizing data where possible. By limiting access, you reduce the chances of exposing sensitive information to vulnerabilities in third-party services, which could be exploited by attackers through malicious codes or web skimming.
3. Periodically check your website for weaknesses – Even if it feels like your site is secure, it’s worth reviewing now and then. Things can slip through the cracks, and a quick check can stop small issues from becoming big.

References

1. Bleeping Computer: Casio UK Online Store Hacked
2. Sucuri: Google Tag Manager Skimmer Steals Credit Card Info