Web skimming attacks not expected to intensify during COVID-19 quarantines

The current coronavirus (COVID-19) quarantine periods imposed all over the globe have forced a large portion of the world’s population towards online shopping.

But despite amid a dramatic rise in the number of people using online stores to buy food and supplies during this outbreak, security researchers don’t expect to see a sudden spike in web skimming attacks.

Web skimming, also known as e-skimming or Magecart attacks, is a type of security incident where hackers breach online stores to plant malicious code that steals a user’s payment card details while the data is entered in checkout forms.

These types of attacks have become popular with criminal groups around 2017-2018.

ZDNet interviewed this week researchers from Malwarebytes, RiskIQ, and Sanguine Security, today’s most active security firms in tracking web skimming attacks, in order to get their thoughts on how the sudden surge of users shopping online will impact the web skimming scene.

The general consensus that we received from the three companies — and contrary to popular belief — was that web skimming is not expected to see a sudden surge of activity just because more people are now stuck at home and will most likely spend more time shopping online.

The primary reason is that web skimming groups have been scanning for vulnerable sites to hack and compromise for years, and the number of incidents has remained generally the same for the past few months.

Experts say that in order to see a surge in web skimming incidents, we’ll first need to see an explosion of new online stores that hackers can attack and compromise. Until that happens, the number of hacked online stores are expected to remain the same.

Statistics compiled by the free companies show this trend pretty clearly. For example, data gathered by Sanguine Security shows a slight decrease in the number of web skimming incidents (hacked online stores) during the recent COVID-19 outbreak period.

While statistics among companies usually vary, Jerome Segura, a threat intelligence analyst at Malwarebytes, told ZDNet that he hasn’t seen “any major changes” in the number online stores compromised by web skimming groups, confirming Sanguine’s finding that the coronavirus outbreak did not drove hacker groups to increase their activity.

On the other hand, RiskIQ did see an increase, but not something that is out of the extraordinary or could be called a spike.

“So far in March, we’ve seen an uptick in our skimming detections of about 20% in comparison to February,” Jordan Herman, threat researcher at RiskIQ, told ZDNet in an email.

The reason why we’re not seeing more online stores getting hacked is because the number of online stores has remained the same.

To record a spike in web skimming attacks during the coronavirus outbreak we should have observed an explosion in the number of online stores created in the past 2-3 months — which we have not.

While more users have shopped online these past months, they most likely flocked to the big online stores, the ones that have advanced security features.

Most web skimming groups today are pigeonholed in their attack tactics and can’t breach these larger targets, which means hackers won’t be able to get to stores where most users are spending their money.

“There are multiple [web skimming] groups active in this space, and they have distinct strategies,” Willem de Groot, CEO and founder of Sanguine Security, told ZDNet.

“Some run fully automated campaigns to infect as many stores as possible. I don’t think they will change their tactics because of COVID-19,” de Groot added.

“However, more sophisticated actors run manual campaigns against targeted, larger stores. It makes no sense to spend weeks hacking into stores that have plummeted revenue (such as luxury products). I expect them to quickly shift to more profitable sectors, such as DIY, pet supplies, foodstuff.”

Still, even if there are more sophisticated actors that target larger stores, Herman believes that most web skimming attacks will go after the online stores of small-to-medium businesses (SMBs), rather than the big brands.

“Every now and then we see a well-known brand affected by Magecart, but almost all of our skimming detections are on small or medium businesses’ websites,” Herman said. “They make easier targets because they have fewer IT resources than larger companies.”

It’s these smaller online stores where users need to be careful when shopping online, the three experts said.

Unfortunately, detecting the presence of malicious web skimming code on a website is a tough job that even security researchers are struggling with — primarily due to the increased sophistication of the code involved.

“It is not possible for consumers to detect a store with skimming code. But consumers are very much able to limit any potential damage,” de Groot told ZDNet.

“We recommend using a payment method that requires two-factor authentication or the use of ‘disposable’ or ‘virtual’ credit cards that can only be used a single time.”

Herman also recommends that buyers use solutions like Apple Pay, PayPal, and other third-party payment providers, as users won’t have to enter their card details on the vulnerable stores, hence, avoid having the data stolen.

Another option is to use an antivirus, according to Segura. Some antivirus software comes with support for detecting compromised online stores. The solution is not perfect, as recently hacked stores take some time to detect and add to a database of hacked sites, but an antivirus popup might warn users when accessing sites that have been compromised for days.

So while experts don’t anticipate any major shifts on the web skimming landscape, they do recommend that users take precautions when shopping online.

Wek skimming attacks have been around for years now, and users need to develop new habits when shopping online that adapt to this new threat, regardless of the current COVID-19 outbreak.