Can there be someone else in your shopping cart? Well, the scenario does sound scary but it might very well be true. Hackers constantly come up with crafty ways to get into user accounts to siphon details and use them in various illegal activities. The payment card details are of particular interest to hackers and hence they use new ways to hide their malicious code on Web sites. Sometimes the details are hidden deep unlike the earlier days when the codes were left wide open to be seen as a gibberish text even to an untrained eye. These days, a compromised e-commerce site is more likely to be seeded with a tiny snippet of code that invokes a hostile domain which appears harmless or that is virtually indistinguishable from the hacked site’s own domain.
Let’s understand how it works with some examples, but a word of caution if you attempt to look into the raw codes of these sites, there might be scenarios where the code hacks into your system as well. So access the sites, if you know what you are doing.
Here is a simple example, asianfoodgrocer-dot-com offers a range of comestibles. It also currently includes a spicy bit of card-skimming code that is hosted on the domain zoobashop-dot-com. In this case, it is easy to miss the malicious code when reviewing the HTML source, as it fits neatly into a single, brief line of code.
Zoobashop is also a presently hacked e-commerce site. Based in Accra, Ghana, zoobashop bills itself as Ghana’s “largest online store.” In addition to offering great deals on a range of electronics and home appliances, it is currently serving a tiny obfuscated script called “js.js” that snarfs data submitted into online forms.
This is particularly interesting because hackers haven’t gone out of their way to get something. However, increasingly these data-slurping scripts are hidden behind fully fraudulent https:// domains that are custom-made to look like they might be associated with content delivery networks (CDNs) or web-based scripts, and include terms like “jquery,” “bootstrap,” and “js.”
There are many more examples but the problem is clear here and needs attention especially when there is explosion of e-commerce happening across India.
Symantec is calling these attacks as “formjacking,” which it describes as the use of malicious Javascript to steal credit card details and other information from payment forms on the checkout pages of e-commerce sites. The company also said that since mid-august 2018 it blocked almost a quarter of a million instances of attempted formjacking.
RiskIQ another security firm has been exceptionally upfront and has written extensively about these attacks. They have also mentioned about the hack of Web sites for British Airways and geek gear vendor Newegg — to a group or hacking method it calls “Magecart.”
Although it is still unclear if the compromises are a works of a consortium or a fragments of small group of hackers.
“Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties,” RiskIQ’s Yonathan Klijnsma writes. “Magecart uses a digital variety of these devices.”
E-commerce sites and the security on these sites need attention and the CISO’s need to proactively deploy and upgrade tools to keep safe.