It may have had a negative impact on the UK economy, but COVID-19 doesn’t appear to have dampened enthusiasm for Christmas shopping. More than 70 percent of consumers intend to spend at least as much on presents this year as they have in the past. But, while this may be good news for embattled retailers, it’s even better news for opportunistic cybercriminals. With lockdown measures forcing consumers online, ecommerce has never been so popular – online spending on Black Friday was up 22 percent on last year. So, this could well be the best Christmas ever for the criminally minded.
Web skimming, in particular, is on the rise. The practice, which involves attacking ecommerce platforms to steal customers’ payment details, rose by 26 percent during the first lockdown in March. With most of the country in Tier Two and Three lockdown measures during December, it’s likely we’ll see its use rise again. It’s vital, then, that retailers do what they can to prevent such attacks and protect their profits – and their reputations – in these challenging times.
Occurring at a retail site’s checkout stage, web skimming gives criminals access to a customer’s credit card details, as well as their name, address, email, and often, their date of birth. Once lifted, this hugely valuable data is generally then sold on the dark web, from where it can often be subject to further attacks and – potentially – financial losses.
A targeted web skimming attack was carried out against household brand Tupperware and its associated websites earlier this year. The official Tupperware.com site – which enjoys an average of around one million monthly visits – was compromised in March when malicious code, hidden within an image file, activated a fraudulent payment form during the checkout process from which criminals were able to collect the credit card data of unwitting customers.
As soon as it was alerted to the compromise, Tupperware identified and removed the malicious code. However, as such a high-profile brand with high traffic to its website, Tupperware was unfortunately too late to prevent many of its customers’ credit card details from being “skimmed”.
Remediating the issue
Tupperware reacted as quickly as it could. Unfortunately, even when acting fast, identifying web skimming can be challenging. Unlike with other types of cyber theft, there are often few, if any, visible signs that the malicious code has been injected into a website.
Regardless, remediating the issue and ensuring the safety of their customers’ data requires retailers remove the malicious code from the compromised site the moment it’s identified. They must work with IT and security partners to review logs in order to find the point of entry and, consequently, reveal just how long the criminals had access to the site.
The threat is considered so serious that the British Retail Consortium (BRC) recently published official guidance to help its members avoid falling victim to such attacks. Developed in conjunction with the National Cyber Security Centre (NCSC), the “Cyber Resilience Toolkit for Retail” highlights the range of threats faced by the retail sector, outlining the protective measures retailers need to implement, and recommending actions on how to prevent, mitigate, and recover from any breaches that might occur.
According to its technical director, Ian Levy, the NCSC wants to “keep shoppers’ data, identity and privacy safe, and to ensure that the retail sector is well equipped to face the cyber challenges associated with an ever-more digital world.”
In all honesty, there’s no way to entirely prevent web skimming. There are, however, steps retailers can put in place to minimise the risk of such attacks occurring.
More than anything, it’s important to tighten day-to-day security measures. Retailers should work with IT and security partners, applying patches where needed to ensure any potential vulnerabilities are protected. Stricter access control requirements should be implemented into a site’s backend. Updating passwords and adding two-factor authentication, for example, will help protect a site and its users’ information.
Outsourcing the handling of financial transactions to a larger, trusted third-party will also help reduce the stress and time wasted on managing security risks. While it can be more expensive than running things in-house, guaranteed assurance that customers’ financial information is in safe hands far outweighs the cost of a potential data breach.
Finally, guaranteeing a site’s legitimacy will go a long way to offering customers peace of mind. Spelling and grammatical errors are often a giveaway for online scams. If a retailer ensures all its web copy is free from such mistakes, its customers are more likely to view its site as credible and, therefore, safe to use.
For online retailers and their customers, this is set to be a Christmas like no other. But the same is true for bad actors, too. It’s never been more important to pay attention to the safety of customers’ payment information. With measures in place to prevent and mitigate web skimming and other attacks, retailers can help cancel Christmas for cybercriminals.
By Chris Boyd, Lead Malware Intelligence Analyst and Malwarebytes