Threat Management, NDR

Payment card skimming reemerges with an online twist

Target released an open-source tool to combat web-skimming earlier this month. Pictured: A sign hangs outside of a Target store on Jan. 13, 2021, in Chicago. (Photo by Scott Olson/Getty Images)

Card skimming has been around since before the mainstream internet and is undergoing a renaissance as financial fraudsters are recognizing new opportunities to combine physical world data theft with online intrusion to steal even more money and information than before.

Just a week ago, it was reported that roughly 500 online retail sites fell prey to a massive “card skimming” incident, wherein bad actors installed a device that allowed them to copy and swipe the data off legitimate debit and credit card as they were being used for payments. In the past, card skimming thieves would insert a physical device into ATMs or payment terminals that would hijack the information off of valid customers’ payment cards.

Nowadays, as online shopping is booming more than ever, these cyber thieves are using malware inserted onto the checkout page of online commerce sites to collect the card information, which they can resell or use in their own nefarious schemes.

Malware and vulnerability detection company Sansec, which works with more than 7,000 online retailers, was one of the first to spot this malicious card skimming activity earlier this month. The vendor recommends “cleansing” the retail sites that have been affected, in order to root out the malicious code, but experts fear that these cyber-skimmers will simply shift their approach and find “backdoors” through which they can implement their viruses. The Magecart group of cybercriminals has been seen at the heart of many of these new card-skimming attacks, as well as other card information theft schemes where the card is not physically present at the time of purchase.

Furthermore, this problem could become more exacerbated as mobile phones begin to add card readers, too. Card swipe or dip devices for physically reading payment card chips have long been an ancillary add-on for mobile devices — making them useful as payment terminals. But Apple announced earlier this month that it will be adding a new “Tap to Pay” feature that would allow users to make contactless card payments between iPhones without adding any additional hardware dongles.

But financial institutions, payments companies and retailers who are impacted by these skimming attacks are not taking this lying down. Earlier this month, Target, which has in the past made headlines as the victim of cyber intrusion, has released its own “web-skimming detection tool” as an open-source tool aimed at detecting malicious code that bad actors have inserted to grab payment card information online. Dubbed “Merry Maker,” the retailer is promoting this technology as “a proactive defense... to defend against digital skimming,” according to the website. The technology has been used as a client-side “scanner” at Target’s website for more than three years.

“Merry Maker continually simulates online browsing and completes test transactions to scan for the presence of malicious code,” according to a Target blog post about the release of the open-source tool. “Merry Maker acts like a guest on by completing several typical activities including online purchases. While doing so, the tool gathers and analyzes a variety of information including network requests, JavaScript files, and browser activity to determine if there’s any type of unwanted activity.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.