Listen to learn about what formjacking/ecommerce skimming is and what to do if your data is being skimmed.
In this episode, Aaron Willis (Forensic Analyst, CISSP, PFI) sits down with Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) to discuss:
Learn more at SecurityMetrics.com/webpage-integrity-monitoring
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to Security Slopes.
We are excited to bring you another podcast here from, the Utah area.
Super excited today to introduce you to Aaron Willis. Aaron, thank you for being here. Do you wanna give people a little bit of background on on who you are and and and where you what what your background is kind of in in the the security field?
Oh, sure. Thanks, Jan. It's good to be here with you.
I started in in a data analytics career, seems like forever ago.
But I've I've owned my own company.
I've done all kinds of programming, web design, web programming.
And then I started doing digital forensics about ten years ago.
Wow. So that's a lot of that's a lot of time in that career.
Yeah. I actually got my master's degree in digital forensics as well.
Oh, awesome.
And I I teach digital forensics over at the local university here.
Very, very cool. So you are the perfect guy to talk about this topic with.
It's, ecommerce skimming. You know, this thing has so many names, and it's hard to to kind of settle on a specific name. I know that we're calling it ecommerce skimming because of the impact it that it's having on the credit card, industry and our our ties with PCI compliance here at SecurityMetrics.
But, I mean, it has a lot of of other names as well. I I kinda wanted to go over some of them in case people know about ecommerce skimming from a different name. So we've got, I wrote them down because there's a lot.
Form jacking Yeah.
Redirects, key logging.
Mage cart attacks is is a common one.
So but it it well and we'll get into more about kind of what it does, but maybe give me an overview of of what this ecommerce skimming is.
Well, ecommerce skimming, we we kinda need that to back up a little bit. In the in the forensics world, especially in in the credit card fraud area where we're we're trying to prevent attackers from going in and stealing consumers' credit card data, we we really have to look at the point of sale environment first. That's where a lot of this, started was was in point of sale where attackers would go in and place a little device, a little little card reader, next to a card swipe machine so that when you swipe your your card, it would take that magnetic data and capture it either to a file or send it off to a server somewhere.
And that was called card skimming.
And and it still happens, but it's not Oh, yeah. We're not seeing that the impact for the physical, you know, the point of sale skimming. We're not seeing the impact for that that we're seeing in the online sales now. So we're calling the online scale skimming because it's kind of the same type of thing. They're stealing your credit card information at the point of sale, but it's online now.
Yeah. The attackers took that idea of of stealing the card swipe, using a skimmer, and and they they went online with it. They they they digitized it. You know, when you when you're at a card not present transaction, you know, you're not swiping your credit card anymore. You're typing that number in.
Right.
And so there are numerous ways that attackers are are going about skimming that data now. And and it's it's very similar to them sticking a card reader, somewhere to to capture that data. But instead of a physical device, they've gotta basically inject some code somewhere, and and we'll talk more about that. But they're gonna inject some code somewhere either on a server or on a client that's going to to harvest that card data either as it's typed in, right on the client's computer or back on the server or in any one of the third parties along the way.
Right. And I'm just gonna clarify for a second for we have a lot of listeners who don't take credit card payments. And so they might be wondering, like, why is this applied to them? And and here's why it's important.
Anytime you're typing something into a a field on a website, like with these credit cards, you could also have other critical sensitive information, like health care data, like, your name and your, phone number and your address, like your Social Security number. Anytime you have sensitive information that needs to be protected and is being typed into a website, the same things we're gonna talk about today with Erin in relation to the credit card industry can also be used to take your sensitive information that is not credit card related. So I I hope that helps clarify why this is actually important across the board and not just to people taking credit cards.
So alright.
Yeah. I mean, who does do online banking these days?
Right?
We we see we see, malware scripts being put, anywhere where they can grab credentials to log in to any sensitive website, whether that be online banking or your medical records, or even just basic business sites where they can go in and and compromise things and inject any type of malware. You know, ransomware is a big thing right now.
Oh, for sure.
If they they can if they can put a skimmer anywhere and grab any kind of data that allows them to profit from it, they're going to do it.
Right. And I I don't want people to freak out this early because it sounds pretty dire, but there's things that we can do about it. That's one of the things we're gonna talk about today with Erin is, how to recognize it, what it is, and then also what you can do about it. So, one of the big reasons that this is on the rise for, retail sites, websites is that's where people increasingly are going to purchase, especially now.
Online purchases are just, going to be going through the roof even more than they already were.
Yeah. We, yeah, we really saw a, an increase in ecommerce skimming, about the time we started implementing the EMV chips in the point of sale environment.
That that really, was effective in the point of sale. We saw a decline in the amount of card skimming going on in in retail environments, and the new low hanging fruit was ecommerce environments.
Sure.
Sure. And the attackers are always gonna go after the low hanging fruit.
So a combination of more purchases online, plus it's easier for them to get the the information on online rather than point of sale is really why we're seeing an increase in these attacks, I think.
Absolutely.
So if if we look at, why it's why it's such a problem, I think part of it is it's hard to detect. So as a as a security analyst, one of the things I'm supposed to do, and it's super hard, is is look at the code on a page, and it's hard because there's so much freaking code on every single page. Right? So as a as a security analyst, supposed to go in and take a look at that and say, hey. Does anything look malicious?
It doesn't usually look malicious because and it's hard to find. So maybe you could talk about why why it's hard to find.
Well, if you think about it, you know, in in the point of cell environment, you're locked down to a specific terminal, and we've had, you know, decades of of experience in locking down those point of cell terminals. Right? And in the PCI world, you know, there's a whole bunch of regulations that protect that point of cell terminal.
Things that have to be, you know, in place, layers of security wrapped around that.
In the ecommerce world, it's a lot more sophisticated on that back end piece.
There's all kinds of of third party scripts that are doing things like business analytics, advertising networks, and these these third party script or, in that environment, they have a great ROI for the the merchant that's using them. However, it increases the surface area that attackers are have available to them to attack. I mean, if you think about it, you know, a shopping cart, especially if it's an open source cart, like Magento or any of the other big carts out there, you know, the attackers have all the code for that shopping cart. And so if you shut down one attack, there's gonna be five more behind it.
Oh, because they can kind of automate it and commodify the attack because of the the open source things that everybody is using.
You know, they're they're always looking for those, you know, any exploits that they can find.
They're always running reconnaissance scripts. You know, if you put a computer out on the Internet and just watch what hits it, you're gonna start seeing bot traffic hitting it over and over again. And they're just looking for any, you know, opportunistic things they can take advantage of. And if it's a shopping cart, they're really excited because they know there's a good chance that credit card data might be going through that shopping cart. Right. So if they can find an open port or a a a field that that is not being sanitized properly, even getting into some really sophisticated type of cross site scripting attacks, they can find and detect those often very, very quickly. Sometimes, sites can be, exploited within minutes of a breach being announced.
And we're seeing in the news, there's some pretty, highly visible companies that have had this these types of attacks that have really, really kind of impacted them.
We we see them almost every day. I I think, one of the one of the security companies said four thousand websites a day were getting hit.
Wow.
That's, that's pretty that's pretty massive amount. So we have thinking about some of the tools that we have already in place that that prevent, a lot of malicious activity, you'd think, do we not already have the tools to be able to combat this?
So so maybe, I'll tell you a tool.
Pop quiz.
I'll tell you a tool, and you tell me why it's either unsuccessful or only partly successful in in, finding these these types of attacks. Start with, FIM, which is file integrity monitoring. So, FIM is that thing that that tells you if a file has changed, and and the FIM tool tell you know, we'll send you an alert when that happens. So why is that not telling us, about JavaScript skimming or ecommerce skimming?
Well, I FIM is a vital tool, but it's not the only tool. It's just one layer of security. And and FIM, if it's properly installed and running correctly, it is absolutely wonderful at telling you if if a page in your shopping cart or in your card data environment has changed.
But you also have to have people watching those alerts.
Right.
Too too many times with FIM, we see that it's working and it's alerting, but it's it's going to an email address that's not being checked.
There's five thousand alerts in there that nobody's paid attention to.
Yeah.
Nobody's So nobody's watching.
It's not completely passive. You know, it has to have somebody monitoring it.
Right.
And, you know, it it is great when it's being used correctly.
However, the attackers know that, and it it it's, it's moved them away from areas that are being protected by FIM. You know, when you when you configure file integrity monitoring, you have to tell FIM to look at certain pages, not look at other pages, and it it can't protect what it can't see.
Right.
And so the attackers have moved their attacks into areas that FIN just has no ability to protect, something like a database that is always changing.
Right.
You know, it's very difficult to run, you know, something like file integrity monitoring on a database that's changing every single second.
Or third party scripts.
Or third party scripts.
Can't even can't tell you if those have changed because it's not even under the control of your of your FIM tool. So okay. Great. How about vulnerability scanning?
Well, vulnerability scanning, again, it's another essential tool.
Merchants need to be running vulnerability scans.
But that's, again, that's just one aspect of security, one one additional layer.
A vulnerability scan has no ability though to actually drill down into a shopping cart and, you know, click on a product and put that product in the in the cart and and go to the checkout page and click on the CVV field and put those numbers in. The attackers are taking advantage of of those actions that consumers are doing.
For example, when they put in a CVV number, they might have a little script running there that that hides that where the malware is completely hidden until that action happens where the where the consumer finishes putting in the CVV number on the checkout process.
At that point, the attackers know they've got a full set of card data including the the customer's name, address, email, and the the credit card number, the expiration date, and the CVV.
At that point, the malware is triggered. It it launches, runs, grabs everything, sends the credit card data out to the card site, and then it goes dormant again waiting for the next customer to come along.
An ASV scan has no ability to get down into those shopping carts and perform those actions that are gonna trigger that malware, so that it can be seen and detected.
Okay. So a couple of great and really vital tools, but they have blind spots in terms of this type of attack.
Exactly.
So, what about antivirus? Is that of any use in in detecting this?
Antivirus is, again, it's another really effective tool for certain type of things.
But, again, a lot of these websites are running on Linux systems. There's not a whole lot of options out there for, Linux antivirus. There are a few, but we see merchants all the time that just say, oh, I'm running on a Linux system, not really prone to viruses.
And so they don't have it installed on the the web server.
But again, you know, if it's running in third party or running in a database, the malware that is, if it's running somewhere that the antivirus can't see, it's got the same problem that FIM has. Right?
Right.
If it can't see it, it can't detect it.
Detect it. Okay.
And a lot of times these scripts are not operating on the server. They may not even exist on the server. They may exist in some, content delivery network, a CDN that that's being used. And so, again, antivirus is essential.
It should be used. And we want everybody to be using it. But antivirus is probably not gonna see a lot of these ecommerce skinny things just because they're not running where the antivirus can detect it. It is effective sometimes if a consumer if a customer is running it on their personal computer when they're doing their online shopping.
A lot of the good ones can detect connections to known bad sites.
Okay.
So if you're if you're typing, in your credit card number and, your antivirus is it has an Internet protection suite and it sees a connection going out to a known bad site, it might be able to stop that. You know, we we have seen antivirus protect an individual customer. But, again, the merchant doesn't get an alert that they've got a problem. The customer may or customer may or may not know what to do with that alert. They may say, well, that's nice, but I still wanna buy this product.
Right.
And so they continue with the transaction.
You know, cards can still be lost that way. So even as effective as antivirus can be if it's used properly, it it's running in another blind spot.
Okay. So I'm enjoying this pop quiz so much. I'm gonna ask you one more.
Okay.
And and that is, what about client side certificates?
Client side certificates, again, they're, you know, they're a very useful tool in protecting, the connection between the merchant, the servers, and and the customer's computer.
You know, making sure that that transaction is operating in a secure tunnel.
But it's kind of like locking your your doors, but the attacker's already in your house.
Oh, okay.
So If the attacker's already there, you know, it's not all that great if if you've got, you know, great encryption in place because they're part of the whole process.
Right. So their so their malicious activity is also encrypted and secure. Alright.
That's probably another helpful nice security.
So, you know, they can be they can be helpful. And, again, we we love it. We love to see when when merchants are using, client side certificates. It's it's a great, additional layer of security to put on there, but it's it's not directly combating, skimming.
K. So, we kind of know some common tools people are familiar with and why they aren't entirely successful in in, taking care of this issue.
Maybe this is a good time to talk about how it works. Like, how does JavaScript skimming, ecommerce skimming, how does that how does it happen? What do you what when you go and look at it, what do you see?
Well, it it depends on how the attackers are are operating.
If they have a connection to the merchant's web server, if if credentials have been compromised, they can go in and just put some programming code, directly on the web page itself, and they can capture that data as it's posted back from the customer to capture that form post. All that credit card data gets captured, and nobody knows about it. The merchant still gets paid. The customer still gets their order.
Everybody's happy. The customer's happy, the merchant's happy, the attacker is happy.
We don't want the attacker to be happy.
No.
No. We don't.
But, you know, if they've got that kind of access, they can even go in and whitelist a a checkout page so that FEM is no longer monitoring it. We've seen that happen.
Oh, wow.
So if they've got if they've got access to the server, they can put code in anywhere they want. They you know, if they've got access, you know, maybe not to the web server, maybe they've they've found an exploit into the database server.
They can go and look and say, well, you know, is the shopping cart is it pulling any code from the database anywhere? A lot of these shopping carts have lots of code stored in the database.
You know, we've seen JavaScript skimmers stuck in places like the drop down list that that populate the states or a country drop down box.
The attackers will go in there and say, oh, look. This is getting included on the checkout page. We'll just go ahead and stick our skimming script right in here.
Now when that renders on the on the browser, you don't see the JavaScript. It's hidden.
And so nobody knows that anything is wrong. The page still looks exactly like it's supposed to. It operates just like it's supposed to. It's just got a little something extra on the side.
An extra, but not good extra.
Not nothing you want.
So, usually, by the time something gets to you and and and a company knows that they've been losing credit card data, what is your process to find it? And and how long has it usually been in place by the time you are able to identify it so that they can correct it?
Well, I just got done with one case where the the malware had been operating since February of two thousand seventeen.
Oh, wow.
And and they didn't learn about it till the middle of last year.
And so it it took it it the the malware had been operating for a long time. The the attackers had set up multiple footholds, multiple backdoors, and it it really turned into a game of whack a mole.
You know, we would we would find one problem, try to fix it, and then all of a sudden, the mal different type of malware would pop up in another location stealing credit card data. We go shut that one down.
And, we played we played with that for quite a few months before we're finally able to to figure out the root cause Oh. Of how the attacker was getting in. And in that in that case, it was a server that we, didn't know anything about.
It was a development server that everybody thought was offline.
Oh, but it was not. It was still communicating.
It was not.
It was not. It wasn't in any of our network diagrams that we received.
The merchant hadn't mentioned it. It was kind of, oh, that old thing.
Wow. But it it still has its Internet plugged in and it was still there. Yeah. And it was it was far behind on all of its patches, all the security updates.
And so we were focused on the web servers, you know, doing our best to try to to figure out how they were getting in and, you know, patching everything, updating everything, making sure the the exterior perimeter was as hardened as could be, not realizing that it was coming in from an internal source.
From a server that wasn't even being considered because you didn't know about it, and they thought it didn't matter. And I think when I when I go in as an assessor, that's one of the the biggest challenges that I face is making sure that scope is correct and that everything's been included. I think I might annoy some of my customers a little because I always say, are you sure? Can we can we find out for sure? Can you prove it to me when when we're trying to find out what is actually in scope and what is connected to to what?
For that reason, it's really important. And so, you know, you gotta keep digging at it. Even, as as organizations look at their own scoping so that they can do their own hardening and and the the security work that they need to do, really questioning what systems exist and what can communicate with what so that the scope is correct.
So thanks for painting all that.
It it was it was easier for us in in a point of cell environment where we could physically go on-site and look at the network and and see what was there.
Mhmm.
But now we're talking about a a, you know, often a virtualized environment Right.
Where where, you know, you're not allowed into the data center. Nobody's seen these servers anywhere.
Mhmm.
And you might have just a virtual server sitting out in la la land that's not showing up anywhere. And so you have to be extremely careful to make sure if something's been deprecated that somebody unplugged that Internet connection.
Finished the deprecation completely.
Yeah. Well, thank you for painting all that bad news for us, Aaron. That's can we now switch to the part where we can fix some things? Because I know that you were very instrumental in SecurityMetrics development of some of its tools. They're called the the WIM solutions.
And so maybe you can talk a little bit about how, we are approaching that for our customers in order to to help detect and shut down some of these problems.
Yeah. Let me give you some background on it. WEM stands for Web Integrity Monitoring.
And, we started running into the scammers several years ago, and they were getting prominent.
In our standard practice, when we'd have a a merchant come to us that that, had an issue, we would go image their web server that's, you know, going and grabbing an exact copy of the web server.
And then we bring it into the lab. We tear it apart, you know, look under every rock trying to find where the malware was, check through unallocated space, see if any backdoors had been hidden.
A couple years ago, we got a case where they were just bleeding lots and lots of card data, and and we could not we looked everywhere. We spent months. I mean, almost line by line going through their code, checking to make sure every input filled was sanitized, that they were using multifactor authentication, running antivirus, just everything.
And they were doing it all right. You know? They had everything in place.
We cannot find any problems in their code. We couldn't find any malware.
And then I I decided I would I would go out and look at the HTML, on the rendered code at the moment of checkout.
Oh, okay.
And and so, you know, I was acting just like a customer using a test card going in, typing in a test order, putting products in the shopping cart, getting right to that point of checkout, typing in the credit card data, and then I noticed that something happened in the JavaScript on that page that I was watching.
Oh, something changed that you were not expecting to change based on the activities that you were doing?
Yes. And I saw that, and I went back and looked at what was on the web server versus what was delivered in the browser, and realized I was looking at two different pieces of code.
Oh, interesting. Okay.
And and so we were spending our wheels looking at the web server because the malicious code wasn't on the web server.
Interesting.
It wasn't in their database server. This was something with getting included in a compromised third party.
Okay. So how does that work?
Well, they they had some analytics scripts running on the back end that were, you know, providing some great data about when customers would abandon their shopping carts.
Okay. Seem that's a pretty common analytics.
Oh, sure. And, I mean, who wouldn't wanna know when your customer abandoned the shopping cart, you know?
That that's great data for any merchant to know.
But that company had that was providing that script had been compromised, and the code that they were sending out, not just to this merchant, but to a whole bunch of different merchants, had been compromised and attackers were able to just insert one tiny little line of code that would only trigger when the when the customer would type in their credit card number and and get to that CVV field.
So it wouldn't even show up until they had had clicked into the CVV field?
Exactly.
Wow. Okay.
And so, if that activity didn't happen, the JavaScript would never trigger that would allow that malware code to to show up.
Wow. Okay. So that so then what?
Once we realized that, we realized that that it was no longer sufficient just to go look at the web server to see if somebody had injected some PHP code onto the checkout page.
Because this was a a pure JavaScript exploit Okay. Where where the JavaScript was coming from a third party. It was not on this it was not on the merchant server. Their security was actually fine as far as their environment.
But that third party environment had the breach, and that's how the attackers got in. And then we started, you know everybody started seeing these roughly around the same time.
And, so we realized that we can't just look at the web server anymore. We have to look at the code in the as it's rendered in the browser.
Ah, okay.
And I have to go through and start doing those actions or simulating those actions just like a customer was going through and putting in data into that, checkout page.
Okay.
And so, we actually got a patent on our process.
Oh.
We're able to to go through, simulate that checkout process.
And in our process, we're watching for those changes that happen to the document object model as you're interacting with the shopping cart. Interesting. We have a huge success rate at finding that malware as it's operating in real time right on the customer's browser.
Okay. And so that's the the, solutions that SecurityMetrics then offers, for people who are interested in detecting, but also, I think preventing. Right? Or or being aware of?
Not exactly preventing. It's it's it's early detection.
Early detection.
If it if you're running if you're running daily scans, instead of, you know, having something running since two thousand seventeen, if it happens and your website gets exploited Right.
It's gonna be found really early.
Okay.
And and it's going to shut it, you know, again, it's gonna send off an alert to the merchant, not like antivirus. It just alerts the customer.
Uh-huh.
It's gonna say, hey, merchant. You've got a problem here. You need to to get eyes on this immediately.
Okay. So it'll reduce the the damage because they know right away rather than where does it all go? We don't know what's the problem is.
Yeah. Instead of losing a hundred thousand credit cards, you're you're only gonna lose, you know, a handful maybe.
Okay. It's much more manageable number than a hundred thousand.
Hopefully, you know, you might lose one if you got if your eyes are on it quick.
Alright.
Well And that's a whole lot better than losing, you know, thousands or tens of thousands or hundreds of thousands of cards.
Definitely. Definitely. And, again, any information that you're putting into the website does not have to be just cards. Right? This is this is it. This is the example that we use because this is what a lot of our customers come to us for for forensics.
But any any organization, if you have any type of sensitive information that you're trying to protect, this is the same thing. Entering into a web page, this this model will help you protect that information.
Yeah. Yeah. We we tend to run it, monitoring shopping carts. But anytime you have a login, that protects a sensitive area of the website, you really ought to consider running a WIM scan Right.
That's going to look for any of those changes that only happen Okay.
As the client is is operating in the browser and and doing those things in the browser.
Good to know. I did not do my homework on this part, and I apologize.
But where can people go to find out more about this particular pro product? Or or do we have a blog post about this or anything like that out there?
Oh, we have some blog posts out there about it SecurityMetrics, and and they can give you the details on that.
So we'll put some links into the, show notes because, Hunter will do my homework for me and make sure that that's in there. Make sure you get the information that you need if you're interested in to learn more about the the WIM product. Hey, Aaron. Thank you so much for joining us today. I really appreciate your time.
My pleasure, Jen.
Alright. And thank you for joining us today on this Security Slopes podcast, and, I hope you'll join us again next week. Bye.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the right. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
