By Dale S. Laszig
DSL Direct LLC
Have you ever been redirected to a checkout page when you shop online? Transitions are not always smooth, and the bad guys know it. Criminals know we're accustomed to seeing pop-up screens at checkout, and their man-in-the-middle attacks exploit this vulnerability. These attack vectors are hard to detect, look legitimate and can shape-shift in seconds, security experts warn.
David Ellis, vice president, investigations at SecurityMetrics, said checkout shopping cart environments are fertile territory for emerging fraud schemes. Popular methods involve third-party hosted content providers and content support services. A recent investigation of a scrolling ad network showed payment card data was lost each time one of the ads appeared on a screen.
"A criminal could exploit an SQL vulnerability and inject a website with malicious Java scripts," Ellis said. "Content security policy tools are costly and require a high level of expertise to configure and use. They do an adequate job of filtering content, but alerts are based on documented vulnerabilities and are no match for emerging fraud schemes."
Like Jason Isbell's song, "Maybe it's time," in the 2018 movie A Star is Born, maybe it's time to let the old ways die and find new ways to safely transact on the Internet. Let's look beyond the security lock icon or IP address at the top of a web page. They hardly tell the whole story. Tim Bedard, director of security and product marketing at OneSpan said, "IP addresses are nice, but in this day and age, they can be easily spoofed and bounced around the world several times."
Bedard has seen cases where criminals intercept text messages from banks and spoof mobile phone addresses to respond on behalf of end-users and redirect their funds. Citing Javelin's 2019 Identity Fraud Study, he noted mobile phone account takeovers rose from 380,000 in 2017 to 679,000 in 2018. Additional targets include mortgage accounts, student loans, car loans, and demand deposit and credit card accounts. Across this broad attack surface, cybercrime is accelerating, with year-over-year growth in credit card fraud, he stated.
"We need to look at transactions in real time across digital channels and challenge or provide the precise level of security at the right time," Bedard added. "Ten years ago, credit bureaus provided adequate protections, but their technology is based on static data. If the forms are not updated at the credit bureaus, criminals can easily defeat knowledge-based authentication."
Like the 1984 comedy horror movie, Gremlins, identity theft and online attacks can appear to be playful furry creatures but be devious monsters underneath. With WarnerMedia planning to release an animated Gremlin series this year, it's clear the film's underlying message still resonates with audiences. What do we really know about our ever-present digital assistants and smartphones? If they start to talk back or give questionable driving directions, it may be time for a software update and dynamic security tools.
"Malicious scripts can morph inside a CSP [content security policy] database, and the smallest of changes will defeat the CSP," Ellis said. "This is prompting some companies to implement subresource integrity validation. These tools check content served by third parties and provide a hash of a clean version. Before content is loaded on a site, it is checked against the hash."
The past 18 months of EMV adoption have made it harder for criminals to access card-present environments, Ellis continued. In 2017, 80 percent of the ecommerce sites SecurityMetrics investigated had modified payment pages, reflecting efforts to address a massive uptick in CNP fraud. Describing payment pages as dynamic environments, Ellis said file integrity monitoring tools can deter criminal activities.
"Fraudsters are getting into ad networks and mounting sophisticated attacks," Ellis said. "They create entire ads or fraudulent call centers while injecting malicious code into JavaScript. They build tools and get networks to take their ads. As investigators, we see these attacks firsthand."
Jérôme Segura, head of threat intelligence at Malwarebytes, mentioned criminals use iFrame attacks to inject content in payment forms. Consumers can sometimes spot the attackers if they insert content that doesn't fit into the form. For example, if you minimize a payment page and the content covering the form doesn't resize properly, it could indicate the page has been hacked, he stated.
Segura cautioned consumers to be especially vigilant on small ecommerce sites, as criminals frequently use an override process by asking for payment data at an inappropriate stage of the shopping journey. Criminals also load skimmers from content delivery networks on these sites. If ecommerce platforms load slowly, the sites may have been compromised by malicious scripts.
Skimming originated in the ATM world, where criminals glued ancillary surveillance devices to ATMS to collect data. Similar attacks happen on payment pages, when you're placing an online order and criminals launch a man-in-the-middle attack and steal your information, Segura noted.
"The beauty of skimmers is they operate in your browser, gather data and encrypt it," he said. "A piece of JavaScript will grab the data in real time and exfiltrate it to server. These attacks have been going on for years, but you hear more about them now due to notorious cases and more criminals coming on board."
Credit card companies are good at handling fraud and getting their money back, but your personally identifiable information is a whole other story, Segura commented. When criminals capture your full name, address and email, you can't easily change this information. Having it out there leaves you open to criminal attacks.
A tiny piece of code can alter a form and change a user experience while remaining hidden. Some attacks are purely web-based; others involve injecting malware into browsers. While it's challenging to protect against unseen threats, Malwarebytes is constantly blocking unknown URLs, Segura stated. We can't identify all sites, but we have identified a lot of criminal infrastructure and we continually block malicious scripts, he added.
"Monitor credit card statements right after you shop on a site," he advised. "If something happens, clean it up. Of the hundreds of incidents we see every day, more small platforms are compromised than major ecommerce sites." 
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content development specialist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
