Magento Card Skimmers

It’s the holiday season, which means shopping is on the rise, and so are hacking attempts.  Malicious actors know to target e-commerce sites when their traffic is heaviest, and those attacks can be massively disruptive to your business and its reputation.  

One of the most common methods of attack is card skimming code.  What was once a hardware problem has become a tricky software problem in the last decade, and it shows no sign of slowing down.

Because these attacks pose a threat to your customers and can negatively impact your business, it’s required to be aware of how these attacks can happen and what you can do about them.

What is Digital Card Skimming

Card skimmers started out as physical devices that stole your card information when you went to use a payment device at a store or take money out at an ATM.  They varied in size and sophistication, but the overall goal was to steal your card information to either use directly, or to sell the card information to someone else online.  

With so much shopping having moved online, it was inevitable that e-commerce would become vulnerable to similar threats.  In place of pieces of hardware attached to ATM card slots, hackers have developed snippets of code in varying sizes to make it possible to steal card information directly or indirectly.  These pieces of code have multiple ways of getting into your site, and they have different vulnerabilities they can exploit.

Exploiting Different Sections of the Website

Card skimmers can range in size from a few lines of code to dozens, and they can appear in multiple different places on the website.  This also depends on how they steal information.  They can be activated as soon as someone starts the purchase process and steal data at every step, or they can focus on hijacking one step of the process to get specific details.  They can also show up in different sections of your code base, from database control classes to admin commands. 

Pretending to Be a Reliable Merchant

Card skimmers can pose as bits of code from reliable merchants whose code you want on your site for the function they provide.  For example, there are at least two instances of card skimmer code posing as a snippet of google analytics code, or as a fake facebook tracking pixel.  Both types of code were injected into site databases and used to steal customer data at some point in the shopping process.

Spoofing Site Pages

In one instance, attackers wrote code that would display a fake checkout page when customers attempted to complete their purchase.  This would directly transmit any personal details entered directly to the attackers domain. 

Creatively Concealing Stolen Information

In many instances, attackers use code that directly transmits stolen information to an outside source for them to continuously collect.  In some instances, however, they will have the data stored and then collected later.  To do this requires concealing that data, like one group did when they had stolen information stored as a jpg file, making it easy to overlook in security scans.  

As you can see, there are a number of ways these attackers can access data on your site.  When you consider that Magento alone has over 2 million lines of code, with extensions and modules on top of that, its not surprising that these attacks can find so many ways to hide.  

It’s important to understand that these attacks can be very sophisticated in how they function and how they avoid detection.  They can function by being very indirect in achieving their goal.  For example, rather than directly copying and transmitting card information, these code snippets can be used to gain admin access to the site, and then use that access to copy customer card information.  

When it comes to avoiding detection, attackers know of the most common ways to stall their attacks, and take steps to dodge them.  One way people often look for malicious code is to run a site in development mode so they can view all active pieces of code running on the site and search for pieces that are out of place.  In response, attackers can include programs that detect if the site is being run in development mode, and then deactivate their attack so that it doesn’t show up in your developer’s review.

How to Protect Yourself

It’s reasonable to wonder, given all these different angles of attack, and all the different directions it can come from, if is it even possible to reliably protect yourself against card skimming attacks?  

While it’s true that security requires constant diligence, and that no approach is perfect, there are steps you can take to secure your site in the short and long-term.

Follow Best Practices for Site Management

Does your code include structures and elements to prevent common attacks from succeeding?  Does your code include processes that validate data when it’s entered before passing it to the back-end?  Have you updated your platform and all of your plugins to the most recent versions?  These steps are just some of the ways you can best prevent code from being entered in the first place, or defusing its effect even if it does show up.

Regularly Review and Report

Here at Watermelon, we have a process called our Security and Performance Plan.  These reviews are intended to provide regular updates about site health to our clients, and ensure that we are regularly taking steps to address known vulnerabilities and proactively addressing potential issues.  Any healthy site should have a similar process in place to protect itself and its customers.

Using Reliable Third-Party Partners

From the extensions you download to expand site functionality to the hosting company you use, find third-party vendors that have solid security reputations.  Cheap web hosting companies may save money in the long-term, but those savings can evaporate at the sign of your first security breach where they provide little to no support.  Extensions that are not regularly maintained are ripe for exploit.

A Secure Site Requires Experienced Developers

Whoever works on your site, whether internal or an external team, they are going to be best positioned to identify and remedy any potential vulnerabilities.  They will know where the most likely angles of attack are, and how best to address them without disrupting the customer experience.  If you haven’t already, we recommend speaking with your developers ASAP to make sure you are aware of security on your site and taking steps to keep it up to date.

Here at Watermelon Web Works, we pride ourselves on making our clients’ security a top priority.  We work closely with our third-party vendors and regularly communicate with our clients to ensure that any disturbances, large or small, are detected quickly and addressed swiftly.  If you are interested in hearing more about how our team can provide some peace of mind around security for your site, we’d love to speak with you.

Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.