Security controls were often hastily put in place as businesses explored new ways to reach customers. The problem is many of these often fall short of accepted security standards, giving fraudsters the opportunity to target websites directly.

Also known as web skimming, this is when a fraudster embeds a piece of malicious JavaScript code into the payment pages on an e-commerce website, effectively turning a legitimate website into a phishing page. It is like a digital version of ATM fraud, where criminals fit devices to cash machines in order to read the card data.

Web skimming scripts are designed to retrieve customer payment information such as card details. But fraudsters can also target websites to steal customer details and passwords.

It is considered a growing risk because fraudsters do not necessarily need cyber expertise to target a business in this way. If someone wants to buy a web skimming package, there are several dark-net marketplaces focused on the buying and selling of compromised servers.

Our Fraud Threat Intelligence team have observed advancements including: 

• the ability to obscure code to bypass static malware scanners
• hiding scripts in favicon image data to avoid detection
• masquerading fraudster-controlled domains as legitimate services
• impersonating Facebook API pages.

Fraudsters are indiscriminate in the type of business they target. Increased reporting of web skimming campaigns shows that this kind of attack method is growing in popularity. And, as fraudsters are not targeting one specific group of businesses, it makes their next move unpredictable.

There could even be businesses that have been compromised and are unaware. Unlike some virus and malware, which can slow systems down, web skimming can run silently in the background. 

There are several best practice considerations a business can follow to manage their website securely and minimise the risk of these types of attacks.

Guidance includes:

1. Ensure operating systems, network software and antivirus software are updated to the latest version, and use of any outdated systems is discontinued.
2. Hold discussions with your e-commerce platform providers to ensure they are regularly scanning the platform for malicious code, and review website logs for any irregularities.
3. Regularly revise passwords and do not use the same one across multiple accounts.
4. Use multi-factor authentication where possible, in your business and in the customer payment journey.
5. Segregate payment system processing from other network applications to avoid the risk of widespread intrusion, should a breach occur.
6. Use firewalls and employ prevention and detection systems where possible, to monitor for web skimming attacks.
7. Limit network remote access where possible and continue to monitor for unusual activity.
8. Back up your systems regularly and test that they restore correctly.

Search Insights for more articles on protecting your business, such as ‘How to manage cyber risks across your supply chain’