Willem De Groot, co-founder and head of security at Dutch e-commerce site byte.nl, found 5,925 compromised online shopping sites by scanning for the a specific data-stealing code injected by cyber criminals into website software, a technique known as skimming.
Online skimming is just like physical skimming, wrote De Groot in his blog. ‘Your card details are stolen so that other people can spend your money.
How does it work?
Skimming is an increasingly popular criminal technique.
Once hackers have gained access to an online website’s ‘source code’, by exploiting software vulnerabilities, they have control.
‘This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card.
It is tempting to call this new ‘fade’ the perfect crime, because it is incredibly hard to detect and near-impossible to tracks the thieves.
The first case of online skimming was reported in November 2015. The malicious code is the new kid on the block.
Once this case was report De Groot analysed a sample of 255,000 global online stores and found 3,501 were skimmed, without the online store’s knowledge.
Since then the code’s presence has increased significantly.
De Groot made a table of the number of online stores effected since the code’s detection in November last year.
Victims vary, according to De Groot, from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).
Hard to detect
Today, there are at least 9 varieties of skimming code, suggesting a number of cyber crime groups are involved, and 754 stores that are currently being skimmed, were already skimming in 2015.
‘One reason,’ wrote De Groot, ‘that many hacks go unnoticed is the amount of effort spent on obfuscating the malware code.’
>See also: How does advanced malware act like AI?
De Groot provides a visual example of the malware being disguised as UPS code:
‘New cases could be stopped right away if store owners would upgrade their software regularly,’ wrote De Groot. ‘But this is costly and most merchants don’t bother.’
“I would recommend consumers to only enter their payment details on sites of known payment providers such as Paypal,” he told the BBC. “They have hundreds of people working on security, the average store probably has none.”