E-commerce and retail will likely see an increase in digital card skimming attempts during the shopping holiday period including Black Friday and Cyber Monday, driven by insufficient e-commerce security, increased opportunity and profit for threat actors, and limitations in the Criminal Justice system to prosecute.
Outdated Magento Install Base Eases Exploitation
The retail industry struggles to keep applications secure and updated, putting outdated e-commerce platforms at risk and presenting threat actors an easy way for exploitation. Magento is a popular e-commerce application, and in September 2018, Adobe announced that Version 1.x would no longer be supported after June 30, 2020. EclecticIQ Analyst highlights that over half of all community installs, and approximately 40% of enterprise installation are of Magneto 1.9 or below. The latest Magento version is 2.4. While there has been a decline in Magento 1.x installs there is still more than double the install base of Magento 1 (90k) over Magento 2 (40k).
The combination of a large install base of Magento 1, end of life support passing, and zero day exploit release set the stage for the largest campaign, dubbed CardBleed, against Magento installs just a month after the exploit went up for sale, in September 2020. More than 2,000 Magento stores were compromised over a single weekend. Most of these attacks then deployed Magecart, a digital card skimming tool, which typically is used to target the Magento platform to steal credit card information of buyers.
Increase in E-commerce Traffic Presents Opportunity for Cyber Criminals
New online users - particularly in developing regions - possibly do not understand / follow basic internet safety and present a great opportunity for cyber criminals to take advantage. The increase in online shopping volume over previous years presents a greater opportunity for threat actors to steal sensitive payment information. A survey by the United Nations among 3,700 consumers worldwide found that more than half of respondents are shopping online more frequently than before the COVID19 pandemic. The United Nations Conference on Trade and Development Secretary-General Mukhisa Kituyi said, “The COVID-19 pandemic has accelerated the shift towards a more digital world.”
Low Barrier to Entry Offers an Incentive to Cyber Criminals
Inter skimming kit, a highly customizable digital skimmer, can be purchased for $1300 per license. Furthermore, PerimeterX have observed advertisements for skimming-as-a-service on public forums.
Law Enforcement Struggle to Prosecute Digital Crimes
Prosecuting digital crimes domestic and across international borders remains a challenge and will very likely continue driving cybercriminal activity. Law enforcement must coordinate efforts between jurisdictions and departments that utilize different operating procedures and often speak different languages. Companies and individuals are often left on their own to protect themselves from malicious activity. Third Way, a US based think tank, estimated 3 out of 1000 cyber incidents see an arrest. Further highlighting the difficulty and scale of the problem of prosecuting cyber crimes.
In 2019 the Internet Crime Complaint Center(IC3) reported on average 1200 complaints a day and overall losses due to cyber crime of $3.5 billion. The IC3 and the FBI do not publish statistics on arrests or prosecutions related to cyber crime like is done with many other crime types. This lack of reporting highlights the overwhelming nature of the problem of prosecuting cyber crime.
The Global Initiative Against Transnational Organized Crime highlights the difficult in international cooperation in a report released September 2019. The report highlights the lack of trust amongst government with relation to cyber-related issues. The main issues hampering international progress are who should regulate cyberspace, who should have access to data, and who should regulate content. Answers to these questions remain unanswered and international cooperation on a per incident basis.
For retail organizations to better protect themselves and their customers from digital card skimming attacks, the EclecticIQ's Fusion Center suggests implementing monitoring and protections for the following Mitre ATT&CK TTPs.