By Ray Birch
SAN DIEGO—Already facing an increasing wave of ATM skimming attacks, credit unions are now being warned they must brace for “digital skimming” on home banking sites.
Jim Stickley, CEO of Stickley on Security, told CUToday.info the rapidly growing digital card skimming attacks, where crooks modify code on ecommerce sites to steal payment card data as it is entered, will become a threat to credit unions as crooks seek to capture other forms of data using the same strategy
“It will be spreading to financial institutions quickly,” said Stickley. “If you can compromise a third-party site where people are inputting credit card information, why not put that same malware on online banking servers? You enter your login and password and multifactor data, and all that is captured and sent off somewhere.”
The attacks have increased to the point where security experts have given the practice a name—Magecart—and they have spawned a small cottage industry among fraudsters. Last year, many major online retailers were hit by Magecart attacks, including British Airways, Sotheby’s, Newegg and Ticketmaster. Reports indicate that the card data collected from all Magecart hacks exceed those stolen in many high profile breaches, such as Home Depot and Target.
Stickley said that code skimming kits are easily accessible on the Dark Web so that even unsophisticated hackers can pull off digital skimming.
“This code is simplistic to begin with,” said Stickley. “So even if you have basic web development knowledge you can do this. With the kits, the vast majority of the work is done.”
Why Threat is Growing
Stickley said the crime is growing not only because it is easy for criminals to pull off with little chance of getting caught, but also because Magecart hacks are hard for site-owners to detect and virtually impossible for consumers to catch.
“I modify that website just a little bit. It’s not like I make a big change to the website at all,” explained Stickley. “I modify a tiny bit of the code where you are doing the data input so that when a visitor types in their credit card information the site looks normal, but I am capturing that data, either recording it and keeping it on a local server or forwarding it somewhere else in the world.”
Stickley added that criminals can write the malware to be a worm that self-propagates to spread over the Internet, looking for vulnerable sites.
What a Credit Union Can Do
What should FIs know about this crime and how can they defend against attacks?
Stickley said the best defense for site-owners, including credit unions with home banking platforms, is to have some type of file monitoring system that looks for changes to files on the back end of websites.
“There are products out there, like Tripwire, that check for when a file in a directory on a site changes. That is what you are most interested in with this crime,” he explained. “If you are not monitoring and being told instantly when a file is changed on a server, you are missing a key component of your security program. Because that’s what is happening with Magecart—the criminals are making minor changes to existing code.”
New ‘Hip Kid’ on the Block
Stickley said that his company’s website has monitoring tools in place that immediately send him and other key staffers a text when any page on the site experiences a change to a file.
“I get a link in the text message that shows exactly what on the site has been modified,” he said. “Having this type of awareness now is very important.”
It’s critical because Magecart is fast becoming the “new hip kid on the block,” said Stickley. “It’s the cool thing for criminals to do because it’s easy to pull off and difficult to detect. This is not going away anytime soon because crooks are having a lot of success with it—and it will continue to spread and go into many other types of systems that are not being touched today.”