Warning: Increasing Threat of Payment Information Theft

On August 1, 2019 PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC issued a joint bulletin requiring urgent awareness and attention to an emerging threat of online skimming.

These attacks can hit a business both large and small. Everyone needs to understand they are a target and they need to have a plan to protect their data.
Troy Leach, CTO of the PCI SSC

Online skimming attacks are aimed at obtaining customer payment card information by infecting e-commerce websites with JavaScript code that captures payment data during each transaction and passes it onto skimmers. A term often used to describe both the type of attack and the cybercrime syndicate involved in conducting it is Magecart. The activity of the Magecart was first noticed in 2016 in relation to skimming attacks on e-commerce websites using the Magento software. It has expanded the scale and scope ever since, growing the list of potential targets to virtually any website using poorly monitored scripts hosted by third party providers.

Magecart attacks have reached their peak in mid 2019 leading to PCI SSC & RHISAC issuing the “Joint Bulletin on Threat of Online Skimming to Payment Security” right after the July attack breached customer payment information from 17,000 websites using Amazon cloud services. Carlos Kizzee, VP of Intelligence at RHISAC, said that the bulletin they issued “… should be a call to action to those in the business community to enhance their awareness of and vigilance against these techniques. No one should presume that they couldn’t or won’t be used to target their enterprise.”

Despite all the seriousness of the threat, online merchants and ecommerce software providers continue neglecting the necessity of taking appropriate measures to protect the online shoppers’ credit card information. Fresh evidence of that is the recent breach of customer payment information from 10,000 online stores hosted by Volusion, a shopping cart software provider in Austin, TX. This incident broke the news in early October and has later become known in the media as the “Volusion October 8th incident” or “Volusion security breach”.

How Magecart Skimming Works?

Since “skimming” is a complex crime, to make it clear from the get go, the end goal of skimming attacks is to steal money from online shoppers whose payment card information gets compromised.

Now, to break it down:

• Attackers scan the internet for vulnerable e-commerce websites using outdated software with third-party scripts that load on the checkout page. Injecting malicious code into these scripts then becomes the main focus of the attack.
• To inject malicious code in a third party script, attackers use a variety of techniques, including credentials phishing and software that executes numerous automated login attempts.
• Once the script is injected it starts to steal payment information typed into the checkout form, including the credit card number, CVV, cardholder name, billing address and expiration date.
• Once the information is harvested, it is then sold on the black market to other criminal groups who use it in fraudulent transactions and in other ways of withdrawing funds from cardholder’s accounts. More rarely, the initial attackers use the stolen information to defraud their victims directly.

Volusion Ecommerce Platform Breached, Thousands of Online Stores Compromised

On October 8th 2019 it has been made public that a group of hackers collected online shoppers’ payment card details from about 10,000 online stores that use Volusion shopping cart software. Third parties confirmed that the malicious code was found directly on at least 6,500 websites. However, the actual number is much higher and may account for over 10,000 stores that currently use the compromised version of the software.

The hackers conducted the attack using the Magecart scenario by injecting a file containing skimming code into the “/a/j/vnav.js” JavaScript library that was loading on all Volusion stores using the V1 version of the software (about 90% of all Volusion stores).

The injected file https://storage.googleapis.com/volusionapi/resources.js was masked as a JavaScript API for handling browser cookies.

The injection allowed the malicious code to access payment card information of tens or possibly hundreds of thousands of customers who shopped on the websites using Volusion’s software during the window of injection. Stolen data was sent in real time to volusion-cdn.com server that was registered by hackers on September 7th. However, the actual attack started around September 28th-29th and lasted for at least 10 days until its discovery by third parties on October 8th. With some larger Volusion stores receiving payments from about 50-150 transactions a day, the number of stolen credit cards from each store may vary from dozens to over a thousand during that period. The estimate number of all compromised payment cards is within the range from 100,000 to 500,000.

There are a few versions of how the malicious code was discovered and who did that. The least likely version is that it was done by an independent shopper who looked into the code of the checkout page on one of the stores that use Volusion software.

According to another version, which is more likely to be true, it was the Google Ads team that discovered the malware on the stores who use pay-per-click advertising services by Google. The ads were disabled and the stores were notified about the existing problem. Not being able to solve the issue on their own, businesses started calling in Volusion’s support. By the time Volusion started their investigation, information about the incident was already in the news.

Despite all these versions, one thing is obvious – the software provider was not aware of the existing breach due to weak control over the platform’s infrastructure and the lack of effective security monitoring practices in place. All things being equal, if not for the alertness of a third party, the breach would not have been discovered internally, compromising thousands of new credit cards every day.

The reason why hackers have chosen the Volusion software as their target doesn’t seem to be a mere coincidence. To shed some light on the background history of the Volusion security breach, the company had experienced quite a number of sharp turns in previous years including migration to Google Cloud that loosened the control over their infrastructure. The number of Volusion hosted online stores has been rapidly declining over the last few years due to ongoing customer dissatisfaction over the lack of features, checkout problems, hidden fees and other concerns. Around 2015 the company made a few attempts to save the situation by starting a couple of unsuccessful projects that steered the focus away from their main product. While they had to abandon one of the projects accompanied by major layoffs and financial losses; they tried to revive the other project by rebranding it as a modernized version of Volusion shopping cart, namely V2. The original software used by the majority of Volusion’s clients, referred to as V1, has not been receiving much development throughout all these years, meanwhile the V2 project has not come anywhere close to the older version in features and capabilities. The decreased control over the infrastructure, lack of software security monitoring and the large volume of transactions processed by merchants have become the main reasons for hackers to choosing the Volusion software as their target.

Due to the volume of breached data, the incident may become catastrophic for involved businesses as they deal with its aftermath.

What Can and Should You Do as a Business Whose Customer Data Has Been Breached?

Before we dive deep into what you, as a business who uses a third party ecommerce software provider, need to do to protect yourself and your customers in data breach incidents, we need to make two important distinctions:

1. Data breach detection is only the beginning. When payment information skimming is detected and patched by your software vendor, it doesn’t mitigate the damage caused by the breach nor does it automatically prevent credit card information from theft in the future.
   

   One thing is clear, Volusion, breached stores, their customers and banks that issued the compromised cards, are doomed for expensive and protracted litigation with numerous counter and cross claims.
   Ilia Kolochenko, Founder and CEO of ImmuniWeb

   Getting back to Volusion’s case, despite Volusion’s spokesperson making a statement that the incident was resolved within a few hours of notification, it only means they had stopped the ongoing data leak that lasted for a frame of time. However, nothing has been resolved as far as the future repercussions of the accident.

   Breached data is yet to be used after its release on the black market. It means that thousands of fraudulent credit card transactions linked to the incident are to be expected in the near future.

   Timely detection can, of course, minimize the number of stolen credit cards and, hence, the scale of problems you’d have to deal with but this only applies to a very short period of time. When the breach is detected after a relatively long-time frame, like in Volusion’s case, where skimming lasted for the record-breaking 10 days, things can become very unpredictable and fatal due to the volume of stolen data.

2. As a business you are a liable party. The second distinction is that, legally, when a data breach occurs on your website, it is your customers who become the victims of skimming cybercrime and not your business.
   Technically, payment information submitted by your customers in real time is considered to be in possession of your business and, if stolen, it is considered to be stolen from your website.

Regulations make it clear that your using a third-party software doesn’t wave your liability and responsibility for taking appropriate measures to prevent the theft.

Now, you, as a business and your software provider are liable parties that have to take all reasonable measures available at your disposal to mitigate the risks of your customers’ payment information being used by fraudsters to withdraw funds from their accounts.

Whether you use your own systems and servers or a third-party shopping cart software, it is your direct responsibility to keep your customers’ payment information protected. Once unauthorized parties start using stolen information it will lead to financial losses that may become a subject of reimbursement from your business.

The following steps are crucial to protect your business from financial reimbursements, costly litigation and loosing the business:

1. Immediately Notify Your Customers

First and foremost, you need to immediately let the customers know that their data has been stolen. In the U.S., most of the states have already enacted breach-notification statutes that make the notification mandatory for businesses and third-party agents. For specific state regulations refer to this guide.

Legal requirements are not the only reason why you need to notify your customers. To prevent and minimize future financial losses you need to urge your customers to contact their bank or credit card company to cancel the card.

Don’t rely on your shopping cart provider to do it because they never will and you will get in more trouble if you procrastinate. They are required to let you know about the incident but from that moment on you are left to yourself since it’s your and not their customers whose data was breached. Also don’t hope that payment information will not be used to steal your customers’ money in the future. According to Immuniweb, one out of five customers whose data has been stolen has experienced a financial loss.

The actionable steps you need to take are:

• Ask your shopping cart provider to determine the exact date and time when the breach started and ended.
• Make a list of customers who placed orders on your website during that time frame.
• Research your country or state legislation for data breach notification liability.
• Create and send a breach notification letter to all customers from the list.

For more detailed information and a notification letter template, download the free Data Breach Response Guide for Business:

2. Implement Security Monitoring Measures

The fact that your shopping cart software provider failed at monitoring the software from unauthorized changes and preventing information theft doesn’t wave your responsibility to take appropriate security measures yourself.

When running an ecommerce business you should take care of both the internal data security and the security of third-party ecommerce solutions. Services like SiteLock offer comprehensive tools allowing to actively monitor the checkout process, alert about malicious activity and prevent it from breaching confidential customer information. When considering to install monitoring software you need to act fast. Remember that one in five stores are usually re-infected within a short time frame. Monitoring your website is key to stopping skimming attacks in the future.

Such attacks will continue unabated until a majority of website owners focus on monitoring third-party code execution on their sites.
Deepak Patel, VP Product Marketing at PerimeterX

3. Do the Due Diligence & Re-Platform

It is rarely a coincidence why attackers hack particular websites. To choose their targets, they use automated software to scan through the internet in search for websites using outdated and poorly monitored software. In Volusion’s case study, the attack had not been noticed by their IT security team for at least 10 days until they were notified from external sources.

As an online business using a third-party ecommerce software you should choose and treat your software provider as you would do it with any other vendor or supplier who gains access to your clients’ personal information. In doing so, never skip due-diligence, look for unbiased online reviews and research your prospect’s reputation history.

Do not cut corners if you can’t estimate future security risks directly and look for indirect cues, like decreasing market share, layoffs, customer complaints and negative reviews. In relation to the reviewed case, ongoing reputation issues have been a call to action for a large number of online retailers who abandoned the company’s services and migrated to other platforms months and years prior to the incident.

If you have decided on re-platforming, here is our recommended list of top online store builders that provide appropriate levels of data protection.

If customer payment information was breached from your website and you haven’t taken any proactive measures, you should act promptly using our guidelines. The longer you wait, the costlier it will be.

Please leave your comments below and share the article on social media.