There are many reasons to want to share one’s credit card information online, such as online purchases, subscriptions, and various payments. However, things can be pretty risky as your credit card information may be stolen and used for unlawful purposes.
Online consumers are told to look for a few red flags before entering credit card information on an e-commerce store. HTTPS, contact information, and site reputation all play a role in assessing a site’s credibility.
Credibility leads to trust for consumers ready to enter their credit card details but what they don’t know is, hackers that gain access to site code can install skimmers that steal data on a site that otherwise looks secure.
One of such flaws is the Magecart attack which recently affected British Airways. The Magecart attack allowed attackers to add a skimmer to NewEgg, which is one of the biggest online retailers for computer equipment and electronics.
Skimming Credit Card Data from Code
The term “skimmer” is a physical device which is installed on a payment machine. A skimmer tricks users into swiping their card and entering other private details such as the PIN when paying for a product.
One popular location for skimmer attacks is the gas station. Since some pumps are usually out of the store attendant’s line of sight, the attacker can install a skimmer without being seen.
The skimmer usually has a small camera; this camera is usually attached to the pump to take a snapshot of the PIN as the user enters it in after swiping the card.
To detect a skimmer, you should take a close look at the pump’s credit card equipment. If it looks damaged, broken off or improperly installed, then the chances are high that there’s a skimmer in the pump.
So how does the attacker retrieve the information? They leave the skimmer installed for a day or two, hoping that it takes many snapshots when unsuspecting users input their PIN; then they go to the gas station pump to collect the equipment and retrieve the images.
How the Magecart attack code was able to be injected into NewEgg’s shopping cart is still unknown, but researchers at RiskIQ were able to uncover the shopping cart page and the code that contained the skimmer.
The “CheckoutStepL.aspx” page was a part of NewEgg’s final shopping cart stage where users had entered their credit card information.
The following is the code that skims credit card data from the main NewEgg shopping cart page:
Notice the “neweggstats.com” domain used in the jQuery function. The attacker registered a lookalike domain to avoid detection. An SSL cert for HTTPS encryption was even registered and installed on the domain, so any consumer who reviewed the site would assume that it was a safe site.
One trick attackers use to fool users is creating lookalike sites of the originals; this tricks users into thinking the site is the same as the original without checking the domain name carefully. Attackers also install an SSL certificate to make the trick harder to discover.
Having a lookalike site also avoids detection from developers who probably don’t question if the website is used to collect statistics. It’s not uncommon for several developers to edit the code base and add marketing URLs to it.
Developers could assume that the URL was added by another developer on direction from the marketing team.
How to Avoid This Attack
When the code is triggered, it grabs the credit card number from NewEgg’s shopping card page and sends it to the hacker’s third-party “neweggstats.com” server.
The entire process of skimming the credit card was completely invisible to the user, so it was able to remain on the site from August 14 to September 18, 2018, enough time to cause massive damage.
Magecart is a silent attack that can leave any shopping cart susceptible to credit card skimmers. NewEgg fell victim for a month with no idea that their site pages had been compromised.