Online Credit Card Skimmers Thriving During COVID-19

The outbreak of novel coronavirus (COVID-19) forced many people across the world into self-quarantine and isolation. As a consequence, many traditional stores have been temporarily closed and the paradigm has shifted in favour of online shopping. To exploit this situation, many cyber criminals are turning toward digitally ‘skimming’ credit card numbers.

Digital skimming or the injection of malicious code into payment portals by hackers, posed a risk to online shoppers much before COVID-19 emerged. But just as scamming spikes during Black Friday, COVID-19 has created prime conditions for increased skimming attempts. Yonathan Kiljnsma, head of threat research at RiskIQ, says his company detected a 20 percent increase in digital skimming in March when compared to the previous month.

He said:

“E-commerce crime spikes whenever there is an event that forces or entices people to perform more online transactions. As we’re now all isolating ourselves and homebound, it means online purchases will spike and makes it a prime time for criminals”.

Recently, two high-profile victims hinted in affirmation of this assertion. Researchers from Malwarebytes published reports last week about a criminal code embedded within the website of food storage company Tupperware. The hackers had managed to exploit vulnerabilities in the website to inject their malicious code which later siphoned off credit card numbers and personal data. A week prior, RiskIQ revealed a similar attack on NutriBullet, which was attributed to the digital skimming group Magecart.

RiskIQ first discovered the NutriBullet attack at the end of February but couldn’t establish communication with the company. Consequently, researchers coordinated with other Internet watchdogs to take down the malicious infrastructure on March 1. Since NutriBullet didn’t repair flaws on its website, the hackers managed to secure their foothold. Magecart managed a new skimming operation on March 5. Several days later, RiskIQ indicated that NutriBullet was finally able to contain site vulnerabilities but its unresponsiveness greatly retarded the whole process.

Tupperware also proved difficult for Malwarebytes to contact. The company’s head of threat intelligence Jérôme Segura said that COVID-19 might be creating tougher challenges and distractions, which made it increasingly difficult for companies to react to.

He said:

“One thing that maybe is a side effect of what’s happening right now is that the number of people who are available to look at a website issue at companies is reduced. One person I spoke to at Tupperware got upset with me and said basically, ‘I don’t know what to do about what you’re asking me right now. Everybody is working from home, it’s a difficult time.’ And I said ‘I completely understand, but you need to fix this”.

Malwarebytes’ first attempt to contact Tupperware was on March 20. The latter managed to remove the skimmer on March 25, the same day Malwarebytes published its findings.

The company’s statement read as follows:

Tupperware recently became aware of a potential security incident involving unauthorized code on our US and Canadian ecommerce sites. As a result, we promptly launched an investigation, took steps to remove the unauthorized code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement. Our investigation is continuing, and it is too early to provide further details“.

Unlike RiskIQ, MalwareBytes hasn’t detected any significant increase in digital skimming since the rise of COVID-19. Segura emphasises this is partly due to the typical baseline for such attacks, which is already quite high.

A site infected with a skimmer behaves no different that an uninfected one. Researchers suggest you stick to big retailers which have a good record of information security. Organisations without dedicated IT support teams are less likely to implement adequate security measures.

When possible, use crowdsourcing platforms such as GoFundMe or third-party payment platforms like Paypal to handle transactions instead of filling out payment forms directly. For older and more prominent websites, Segura suggests checking the copyright tag often floating around the bottom.

He said:

“Check as best you can whether a site has been maintained or not. If the copyright notice is from 2017 it could mean that somebody hasn’t looked at the template in awhile. You can’t eliminate the risk completely, but you can reduce it”.

Join the discussion