The Payment Card Industry (PCI) Security Standards Council has released a new alert. The alert warns of the threats of online credit card skimming to payment security. Read the full alert or get the highlights below.
The group primarily responsible for the tactic is known as "Magecart." In the past, the group hacked British Airways, NewEgg and Ticketmaster. Magecart has hacked over 6,400 sites since their inception.
The alert says, "Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets, and exploiting vulnerabilities in unpatched website software."
After obtaining the data, the group sells the information on the Dark Web.
How it Works
The group is using vulnerabilities in websites to compromise them. The vulnerabilities utilized for skimming are the same that hackers use in other methods to hack websites. The ways Magecart gains access include:
- Brute Force Login Hacking: Hackers try to login using a large list of known common passwords.
- 3rd Party Plugins: Websites might use functions/apps/widgets from outside developers. These help the website accomplish a specific purpose. However they another channel that an attacker can use.
- Phishing and Social Engineering: Criminals can gain access to credentials if they convince a person to provide the desired information by using deception. The most common way phishing and social engineering occur through is via email.
After getting access to a site's backend, the hacker injects the malicious skimming scripts. "The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors," according to the alert.
Complying with the 12 PCI DSS requirements goes a long to being safe and secure.
Other items to focus on to secure your website include:
- Install website plug-in and CMS updates and patches as they are available.
- Maintain control over the authorization levels of the people who can login to your website.
- Require users who login to your website to enable two-factor authentication.
- Work with an external vendor to perform penetration testing to test defense.