Instead of compromising individual accounts, hackers have changed tack and now go after the mother lode, installing card skimmers on online web stores. 

Key Takeaways

  • Attackers recently managed to install digital card skimmers on over 500 websites.The onus for protection lies with website owners.Security experts suggest various means that users can employ to protect themselves.

On February 8, 2022, security researchers shared details about a mass breach into more than 500 online stores running the Magento ecommerce platform. The attackers loaded a payment card skimmer on all the stores, in what is known as a magecart attack. Although the fix lies with the online stores, the targets are the end-users who experts believe should also be more vigilant when transacting online.

“[This] recent attack should be a stark reminder to all online patrons [that] they have a duty to protect themselves in addition to what you expect from your online store provider,” Ron Bradley, VP of Shared Assessments, told Lifewire over email.

Digital Skimming

Gustavo Palazolo, Staff Threat Research Engineer at Netskope, told Lifewire over email that Magento is one of the popular ecommerce platforms that’s targeted by attackers since many stores run outdated instances of the software, while others use third-party plugins that sometimes contain unpatched security flaws that allow attackers to implant digital skimmers. 

He said while it isn’t simple to verify if the website you’re shopping on has been the target of a magecart campaign, there are a few measures users can follow to reinforce their online security.

Palazolo recommended using browser extensions to block unknown scripts, such as NoScript for Firefox. He also advocated using antivirus solutions that provide browser extensions since they can scan the visited website and block malicious scripts.

He added that Adobe no longer supports Magento v1, but due to its popularity, there are several community-provided security patches to help secure this version. However, he suggests users avoid transacting on websites powered by this unsupported platform. 

To verify if the website you are shopping is running the latest Magento v2, Palazolo pointed to the Wappalyzer for Chrome and Firefox, which can detect the technology behind a web page.

“If installing a browser extension is not an option, online tools can be a good choice to verify details about Magento, such as MageReport, which can show you not only the version but also information about security vulnerabilities found in the website you are about to shop,” Palazolo advised.

Be Your Own Firewall

Bradley said online shoppers don’t have to be cybersecurity experts to protect themselves but must have a defense-in-depth mentality to avoid becoming victims. 

“Cybersecurity is like an onion [composed] of multiple layers. It’s important to define your perimeter and implement security measures to protect yourself,” said Bradley. “Start with your bank or credit card issuer. Turn on all alerts you possibly can, to the point where it’s annoying, and you have to go back and dial it down.”

He also suggests turning on multi-factor authentication wherever possible and advocates against the use of debit cards while taking advantage of the credit freeze facility, which doesn’t cost anything, and helps protect customers from identity thefts.

Palazolo said users should use the capability to generate unique and temporary digital card numbers for online purchases. Even if the website is infected, this option will ensure that stolen card details aren’t of any use to the attackers.

Eyes Wide Open

Erich Kron, a security awareness advocate at KnowBe4, suggested shoppers review their credit card and bank statements regularly, keeping their eyes peeled for unusual charges or purchases.

“Far too often, charges simply get added to the credit card balance without the victim noticing. Even small charges, a dollar or two at a time, which can be used to confirm to the cybercriminal that the card is still valid, can be a sign that the card has been compromised,” Kron shared with Lifewire via email. 

He also suggested that users should understand the protections offered by their credit cards and be aware of all the options available to them to quickly report suspicious charges.

“It’s important to define your perimeter and implement security measures to protect yourself.”

However, at the end of the day, it’s the responsibility of the ecommerce website owners to ensure they’re running a secure ship, pointed out Kunal Modasiya, senior director of product management at cybersecurity firm PerimeterX. He said because consumer actions are limited, ecommerce website owners must employ solutions that provide continuous visibility into the actions happening on their websites.

“Ecommerce companies should employ a multi-layer defense-in-depth solution that helps protect users’ account and identity information everywhere along their digital journey.”

Get the Latest Tech News Delivered Every Day