Probable Increase in Digital Card Skimming During Shopping Holidays

E-commerce and retail will likely see an increase in digital card skimming attempts during the shopping holiday period including Black Friday and Cyber Monday, driven by insufficient e-commerce security, increased opportunity and profit for threat actors, and limitations in the Criminal Justice system to prosecute.

Outdated Magento Install Base Eases Exploitation

The retail industry struggles to keep applications secure and updated, putting outdated e-commerce platforms at risk and presenting threat actors an easy way for exploitation. Magento is a popular e-commerce application, and in September 2018, Adobe announced that Version 1.x would no longer be supported after June 30, 2020. EclecticIQ Analyst highlights that over half of all community installs, and approximately 40% of enterprise installation are of Magneto 1.9 or below. The latest Magento version is 2.4. While there has been a decline in Magento 1.x installs there is still more than double the install base of Magento 1 (90k) over Magento 2 (40k).

Sansec discovered a zero-day exploit effective against all 1.x versions of Magento. The exploit is sold on a darkweb marketplace as of August 15, 2020. It is not likely a patch will be released, since these versions are no longer supported by Adobe.

The combination of a large install base of Magento 1, end of life support passing, and zero day exploit release set the stage for the largest campaign, dubbed CardBleed, against Magento installs just a month after the exploit went up for sale, in September 2020. More than 2,000 Magento stores were compromised over a single weekend. Most of these attacks then deployed Magecart, a digital card skimming tool, which typically is used to target the Magento platform to steal credit card information of buyers.

Increase in E-commerce Traffic Presents Opportunity for Cyber Criminals

New online users - particularly in developing regions - possibly do not understand / follow basic internet safety and present a great opportunity for cyber criminals to take advantage. The increase in online shopping volume over previous years presents a greater opportunity for threat actors to steal sensitive payment information. A survey by the United Nations among 3,700 consumers worldwide found that more than half of respondents are shopping online more frequently than before the COVID19 pandemic. The United Nations Conference on Trade and Development Secretary-General Mukhisa Kituyi said, “The COVID-19 pandemic has accelerated the shift towards a more digital world.”

The Google, Temasek, Bain & Company e-Conomy South East Asia 2020 Report highlights greater growth of internet sales. In 2019, Southeast Asia has 10 million first time internet users come online. Since the beginning of 2020 there have been 40 million new users. E-commerce has benefitted growing to $62 billion, a 63% increase over 2019.

Low Barrier to Entry Offers an Incentive to Cyber Criminals

It is easier than ever to monetize a successful breach; with little investment and technical knowledge required, new actors can begin skimming operations with relative ease. The 2020 Verizon DBIR report, states that the retail industry is primarily targeted by financially motivated threat actors. A common tactic for monetization is the use of digital card skimmers. Magecart is a javascript-based skimmer that an attacker would embed on a compromised e-commerce webpage. The skimmer would then identify sensitive information entered on the page and send that to the C2 server.

Inter skimming kit, a highly customizable digital skimmer, can be purchased for $1300 per license. Furthermore, PerimeterX have observed advertisements for skimming-as-a-service on public forums.

Law Enforcement Struggle to Prosecute Digital Crimes

Prosecuting digital crimes domestic and across international borders remains a challenge and will very likely continue driving cybercriminal activity. Law enforcement must coordinate efforts between jurisdictions and departments that utilize different operating procedures and often speak different languages. Companies and individuals are often left on their own to protect themselves from malicious activity. Third Way, a US based think tank, estimated 3 out of 1000 cyber incidents see an arrest. Further highlighting the difficulty and scale of the problem of prosecuting cyber crimes.

In 2019 the Internet Crime Complaint Center(IC3) reported on average 1200 complaints a day and overall losses due to cyber crime of $3.5 billion. The IC3 and the FBI do not publish statistics on arrests or prosecutions related to cyber crime like is done with many other crime types. This lack of reporting highlights the overwhelming nature of the problem of prosecuting cyber crime.

The Global Initiative Against Transnational Organized Crime highlights the difficult in international cooperation in a report released September 2019. The report highlights the lack of trust amongst government with relation to cyber-related issues. The main issues hampering international progress are who should regulate cyberspace, who should have access to data, and who should regulate content. Answers to these questions remain unanswered and international cooperation on a per incident basis.

For retail organizations to better protect themselves and their customers from digital card skimming attacks, the EclecticIQ's Fusion Center suggests implementing monitoring and protections for the following Mitre ATT&CK TTPs.