During the busy holiday shopping season late last year, firearms maker American Outdoor Brands noticed a problem with one of its websites, which sells mostly hats, shirts and accessories.
The site, it turned out, was subject to an e-skimming attack over Thanksgiving, where a type of malware infected its checkout pages to steal payment and personal information of shoppers. The company, formerly known as Smith & Wesson, says the incident affected about 780 people.
“Our first action upon learning of the attack was to disable the checkout function on the site to reduce the amount of individuals impacted,” Elizabeth Sharp, vice president of investor relations, said in a statement to CNBC. “During the investigation we found the malware and identified when the malicious code was placed on the site.”
Skimmers, or hidden devices designed to steal credit card information, have long been a threat for consumers at the gas pump or ATM. Now, skimming has gone high-tech and hackers can steal your information in a more insidious and lucrative manner. This type attack is also known as Magecart.
Just this week, the first arrests were announced for the crime. Interpol, which helps coordinate police agencies in 194 countries, said Monday it arrested three people from Indonesia who allegedly compromised hundreds of online shopping websites. It said the suspects stole payment card details and personal data such as names, addresses and phone numbers.
Companies large and small have been hit by e-skimming attacks in the past two years, including Macy’s in October, Puma’s Australian website in April and Ticketmaster’s United Kingdom website in June 2018. Macy’s, Puma and Ticketmaster did not respond to CNBC’s request for comment.
“Any retailer that has a significant online presence that accepts online orders is definitely concerned about e-skimming. This has been in the news recently, and even big-name stores have been hit,” said Randy Pargman, senior director for threat hunting and counterintelligence at Binary Defense, an Ohio-based cybersecurity company that monitors companies’ computers for signs of attacks. The company won’t disclose its clients but says many are in the retail sector.
Cybercriminals can compromise websites in many ways, including breaking into the web server directly or breaking into a common server that supports many online shopping websites, to compromise them all. One example of an online shopping service is Magento, which was acquired by Adobe in 2018 for more than $1.6 billion. The Magecart name for this type of attack comes from Magento but can refer to attacks on other software as well.
“Magento is committed to delivering security to our customers, as well as helping to maintain that security,” said Gaby Yim, a spokeswoman for Adobe. “As the majority of exploits tend to target software installations that are not up to date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available.”
The FBI says e-skimming has been on its radar for nearly seven years but the crime is growing because cybercriminals are sharing the malware online and becoming more sophisticated.
“If you are a company that has a heavy volume of credit card numbers being inputted into your website, at that point, you’re probably at a higher risk,” said Herb Stapleton, section chief for the FBI’s cyber division. “Now one thing about those types of companies is often they have more resources to invest in cybersecurity measures. So as a result of that, even some lower-traffic companies, some smaller and medium-sized businesses, are still at risk because some of them may not have the resources to invest as heavily in their cybersecurity.”
The exact number of websites compromised is unknown, but Stapleton said millions of credit cards have been stolen, and that is just what is reported to the FBI. The true number is likely higher.
Unlike traditional skimming, the criminals behind the attack do not need physical access so they can be located anywhere in the world.
“Cybercriminals have a harder time now stealing the credit card information from cash registers or point-of-sale terminals. That’s where you physically swipe your card or you dip the chip cards. The reason is because the technology for those point-of-sale systems has become better,” said Binary Defense’s Pargman.
E-skimming, or Magecart, is a cybersecurity hacking technique that steals information as the consumer puts it into a online shopping website. This is a demo of what the attacker can see.
Retailers who are compromised face reputational risk.
“That’s why companies put a lot of effort into making sure that their security is good, so they don’t have to notify consumers that they had lost their data because of a lapse in security,” Pargman said.
In addition, companies can face stiff fines for not having the systems in place to protect their client’s information. British Airways is facing a nearly $230 million fine for a data breach involving about half a million customers. British Airways did not respond to CNBC’s request for comment.
In order to protect themselves, Pargman says companies need to stay on top of system updates and monitor their servers.
“There’s records of what’s happening on the web server. You need to monitor those to make sure that there’s no signs of an attacker who’s logging on and taking control of the web server,” he said.
For consumers, it can be difficult to prevent having their information taken. Consumers should use credit cards instead of debit cards when shopping online to lessen any inconvenience if their card is compromised, Pargman said. Users of credit cards usually have lower liability for fraud. In addition, getting money returned to your debit card can take some time.
Another tip is to consider using a virtual credit card, Pargman said. Some banks and credit card companies offer the option to create a unique credit card number to be used for specific transactions. If this number is compromised, other charges will be declined.
Consumers should also monitor their cards for any unusual activity and report it right away, he said.
“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer,” the FBI’s Stapleton said.