Man-in-the-middle attacks roil online checkout

2018 was a record year for online fraud, according to the 2019 Internet Security Threat Report, published by Symantec in February 2019. Massive, automated attacks on ecommerce shopping carts, designed to imitate legitimate hand-offs to secure checkout sites, robbed consumers of credit card credentials and personally identifiable information, according to the report.

Speculating that devalued cryptocurrencies may be fueling the growth of web skimming and formjacking attack vectors, researchers said the "value of stolen credit card details on the cyber underground is probably more assured than the value of cryptocurrencies in the current climate."

Formjacking, which Symantec describes as the use of malicious JavaScript code to steal data from online payment forms, continues to rise, after compromising 4,818 websites in 2018. The trend sharply escalated in November and December, when the security company blocked more than 1 million malicious attacks. Magecart, a crime syndicate, perpetrated numerous strikes against high-profile brands, including British Airways and Ticketmaster, researchers found.

"EMV adoption has made it harder for criminals to break into the card-present environment," said David Ellis, vice president, investigations, at SecurityMetrics. "Patterns emerged in 2017 involving altered payment pages, with 80 percent of cases involving altered payment pages on ecommerce sites."

Website, subresource integrity

Third-party hosted sites and content providers are frequent targets for fraud, most commonly in checkout shopping cart environments, Ellis noted. Content security policies (CSPs) can help to prevent this type of attack but can be costly and difficult to execute. "CSPs will alert retailers of known, documented vulnerabilities but require a high level of experience to configure and use," he said. "Malicious scripts morph, and even the smallest of changes can defeat a CSP database."

Ellis cited subresource integrity tools that validate third-party content by providing a hash of a clean version of copy that must be matched. "Each time before the content will load, it is checked against the hash," he said.

Jérôme Segura, head of threat intelligence at Malwarebytes Labs, urged consumers to be more careful when checking out on small ecommerce sites. "Be especially vigilant if you are on an ecommerce site that redirects you to a payment page or asks for payment data prematurely during the checkout process," he said. "A web skimmer from a content delivery network could be operating within the same site, using malicious code to exfiltrate your credit card data."

Mounir Hahad, head of Juniper Threat Labs, a Juniper Networks threat intelligence portal, said Magecart and other bad actors are using malicious code to siphon off payment card information. "We are unfortunately in the era of cloud native risks associated with SaaS applications," he said. "It used to be that you needed to ensure the security of libraries you embed in your application, but with cloud real-time delivery, the challenge has morphed into assessing the security posture of the entity providing you with the functionality."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.