Web skimmers: why are they particularly sneaky and dangerous?

There are a few fairly simple rules that can help you protect both yourself and your money from typical scams while online shopping. Here’s what these boil down to:

• Don’t send money to personal accounts of strangers on the internet;
• Don’t enter your bank card details on suspicious sites;
• Always check the web address carefully before leaving your payment details on a website.

However, not many folks know that their card details can be hijacked even on legitimate websites. This can happen if the page is infected with web skimmers — malicious scripts embedded directly in the website code. That’s what we’ll talk about today.

What are web skimmers?

Web skimmers were named due to their association with hardware skimmers — stealthy devices that carders install on ATMs or payment terminals to steal card details. Skimmers are hard to notice because they look like regular ATM hardware, so unsuspecting users insert or slide their cards, only to share their payment details with the criminals.

Scammers have long realized they don’t have to tinker with hardware and risk being caught at the scene of the crime. The same result can be achieved much more easily, fully remotely, and with less risk, by writing a snippet of code and embedding it into a website, where it will intercept shoppers’ bank card details and send them to the scammers. That code snippet is called a web skimmer.

Cybercriminals look for vulnerable online stores and other websites that accept card payments, hack them, and install their malicious code without the owners’ noticing it. At this point, their job is done — now they just need to consolidate the card details into a database, and sell the database on the dark web to other cybercriminals who specialize in stealing money from bank cards.

Why are web skimmers dangerous?

Three things make web skimmers especially dangerous.

First, they’re invisible to users. From a regular online shopper’s perspective, nothing suspicious takes place. They’re making a purchase on a website that has the right address and no red flags to be seen: it looks and works the way a normal website would. Furthermore, money won’t start disappearing from the victim’s account right away, so it’s difficult, if at all possible, to pinpoint the website where the card was compromised.

Second, web skimmers aren’t too easy to detect — even by website owners. This presents more of a problem to smaller online stores, which might not have a full-time IT specialist, let alone a cybersecurity expert. But even large online retailers may find that that thoroughly checking their own sites for web skimmers is a challenge that requires fairly exotic skills and tools.

Third, victims are hard pressed to link a theft to a specific store, so it’s highly unlikely anyone would come forward with a complaint. Few owners would undertake the complex and costly task of scanning their website for skimmers (which would require hiring a professional) just to be on the safe side.

How widespread is the web skimmer threat?

In a recent study, cybersecurity experts delved into the web-skimmer situation as it stands today. The study analyzed a malicious campaign that’s likely linked to the Magecart cybercrime syndicate, which specializes in web skimmers. The key discoveries were:

• Whereas originally web skimmers were implanted only into online stores powered by Magento, the range of compromised platforms became wider. Cybercriminals are now capable of infecting stores that run on Shopify and WordPress with plugins for accepting payments (in particular, with WooCommerce).
• To make it difficult to detect a web-skimmer on an infected site, the creators of the implants deliberately make them look like legitimate code of such services as Facebook Pixel, Google Analytics or Google Tag Manager.
• One of the latest tricks employed by the hackers who are behind the campaign is to use compromised websites as command-and-control (C&C) servers to manage web skimmers implanted into other sites and exfiltrate stolen payment information. This is how they remain undetected: implanted web skimmers talking to legitimate websites doesn’t look suspicious.
• Websites that were found to be infected with web skimmers included fairly large online stores serving hundreds of thousands customers every month.
• Statistically speaking, the researchers discovered close to 10,000 websites that contained web skimmers in 2022. A quarter of those were still infected as at the end of the year, suggesting that a web skimmer implant can remain on a compromised website for months if not years.

Protecting yourself from web skimmers

Our security solution will help you secure the online payment process. It employs Safe Browsing technology, which scans all web traffic objects for both known and unknown threats at the moment you click on the link. If it detects a web skimmer in the HTML code or a script file, our product warns you about malware presence and prevents the dangerous page from loading.