E-skimming attacks happen following a simple pattern: (1) hackers gain access to a company's online store; (2) hackers hide malicious code on the company's website; (3) the code collects payment card information from users while they're making purchases on the infected site.
These types of attacks have been happening since 2016, but they've intensified during the last two years, in 2018 and 2019, and have become a problem that neither end-users, companies, and government agencies can ignore anymore.
Initially, these attacks were carried out by exploiting vulnerabilities in open-source e-shopping platforms, with Magento being the favorite target.
However, over the past two years, hackers have greatly diversified their attack methodology, and any online store is now susceptible to attacks, regardless if it runs on top of an open-source platform like Magento, or a cloud-hosted service.
Among the exploitation scenarios that have been observed, and which led to an e-skimming incident, we list:
Hacking a third-party company that provides widgets that load on online stores (tech support widgets, EU cookie compliance, etc). In this scenario, the malicious code is loaded via the hacked third-party service.
From a user perspective, there's not that much that they can do to detect or prevent an e-skimming attack.
One solution is to use an antivirus product, but not all are kept up-to-date with the latest lists of domains that hackers are using for their attacks. Antivirus products may be able to detect a one-day-old compromised site, but they're not able to detect recently hacked sites, so there's always a small window of time during which users can have their data stolen, even if they use antivirus products.
Another solution is that end-users sign-up for a "virtual card" service. These are online payment solutions where users get a one-time payment card number they can use for one transaction only.
Even if the card number is used on a compromised site, once the transaction is completed, the card number expires, and hackers won't be able to use it afterward. The downside is that "virtual card" services aren't always available in all countries around the globe, and not all users will be able to get one.
For the time being, e-skimming attacks will remain one of today's top threats, with no single silver bullet solution to either detect or stop these attacks.
As the FBI and DHS CISA suggest, the easier way to prevent this is to block hackers from gaining access to sites in the first place, rather than dealing with detecting ongoing attacks.