Supply chain, Breach

Online skimming hammers restaurant payment platforms as attacker base widens

A waiter in wearing a protective face mask presents an outside diner a contactless payment system.
Magecart campaigns recently struck the online point-of-sale and ordering platforms for more than 300 restaurants, according to threat researchers for Recorded Future. (Photo by Sarah Silbiger/Getty Images)

The major scamps of online skimming, Magecart campaigns have yet again emerged — this time exposing internet-based transactions at more than 300 restaurants — pointing out that this form of digital payments attack is likely to rise as online buying increases and the scope of perpetrators rises.

At least two “separate, on-going Magecart campaigns have injected e-skimmer scripts into the online ordering portals of restaurants using three separate platforms, MenuDrive, Harbortouch, and InTouchPOS,” according to a July 18 post by Insikt Group, the threat research division for Recorded Future. These online “point-of-sale" and ordering platforms handle payments for thousands of e-commerce businesses, including hundreds of small and local restaurants and take-out food deliveries. Researchers estimated that at least 311 restaurants were recently “infected with Magecart e-skimmers, a number that is likely to grow with additional analysis,” according to Insikt Group’s post.

“This Magecart attack against 300 U.S. restaurants is yet another example of the persistent challenges e-commerce companies face when securing their sites,” said Kim DeCarlis, chief marketing officer at cybersecurity company PerimeterX. “Sophisticated attackers understand that websites are comprised of a supply chain of code, many from third or Nth parties, and will continue to seek out ways to steal credit card information by planting onsite skimmers and abusing vulnerable code.”

The traditional card skimmer has plagued the financial and payments industries for decades — since long before e-commerce took off. In real-world card skimming, financial fraudsters connect an overlay to physical card readers at ATMs or point-of-sale terminals. When an unsuspecting cardholder swipes or dips their credit or debit card, the fake reader collects all the payments data and the PIN code, which thieves then use to make their own fraudulent purchases or sell on the dark web. In recent years, online skimming has emerged as an even greater threat, especially as online buying has skyrocketed in the wake of COVID, retail store closures, and expanded internet payment options.

Credit card skimming transforms in digital age

Much like their real-world card-skimming counterparts, online skimming groups like the ones behind Magecart “infect e-commerce websites with e-skimmers to steal online shoppers’ payment card data, billing information, and personally identifiable information (PII),” per Insikt Group’s post. Online skimmers have been around since the early 2000s; and the so-called “Magecart” coalition of threat actors that has focused largely on online payment skimming was first spotted at least six years ago.

According to Erfan Shadabi, cybersecurity expert with data security firm comforte AG, attacking food delivery services — or, more accurately, their online payments providers and transaction platforms — has become an increasingly “common trend” for cyber-skimmers.

“Digital credit skimming has undergone a significant transformation since researchers first started tracking the phenomenon in the early twenty aughts,” according to a May blog post by RiskIQ, which noted how the market for these threat actors has expanded greatly.

“Once, skimming was a space ruled by a handful of highly skilled groups that carefully chose and hit their targets, manipulating JavaScript on websites to steal customers' credit card info, often to sell on the black market,” the RiskIQ research found. “Today, it's a much more inclusive group packed with cybercriminals that take advantage of cheap, widely available, and easy-to-use skimmers.”

Data-centric protection needed to guard against skimming

Shadabi said, “Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem [including] PII, financial, and transactional data, as soon as it enters the environment and keep it protected even as employees work with that data.”

By “tokenizing any PII or transactional data,” payments platforms can protect sensitive information and preserve the original data format, “making it easier for business applications to support tokenized data within their workflows,” Shadabi added. “They also need to revisit their enterprise backup and recovery tactics to ensure that they can quickly recover if hackers are able to get into their environment and encrypt their enterprise data.”

These online skimming attacks represent yet “another example of the web attack lifecycle: the cyclical and continuous nature of cyberattacks, where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing or account take over attacks on another site,” according to DeCarlis.

Given the risks of Magecart and digital supply chain attacks in general, DeCarlis also recommended that e-commerce companies, such as restaurants, food delivery companies and their payments providers “deploy multi-layered solutions that helps protect users’ account and identity information everywhere along their digital journey.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.