Double Trouble: A Cautionary Tale of Piggybacking Skimmers on the Magento Platform

A unique bit of news in the world of online security popped up recently — namely, Threatpost reported that two web skimmers had been detected on the payment pages of Costway, a leading retailer of appliances and furniture in North America and Europe. The skimmers were found to be targeting customer credit card details. The uncommon aspect of this otherwise ordinary case of malware is that the researchers discovered that one of the web skimmers was piggybacking on top of the other one, essentially in a bid to seize control of the fake forms previously injected into Costway’s site. This technique allows a bad actor to step in and harvest another hacker’s stolen goods, with little effort. Costway’s compromised website runs on the Magento 1 platform, an iteration of the world-famous open-source technology which no longer receives support from Magento as of June 2020. Let’s run through the elements involved in a scenario such as the one that occurred to Costway.

What is a skimmer anyway?

According to Malwarebytes, a “web skimmer” is generally a fragment of malicious JavaScript (JS) code that a bad actor injects into web payment pages to perform the act of skimming. The term “skimming” originally refers to a sort of fraud that targets automated teller machines (ATMs) and point-of-sale (POS) terminals where a criminal uses a device (called a skimmer) or malware to steal details from a credit or debit card’s magnetic strip. In essence, it’s a simple way in which bad actors can easily steal customer payment details.

Why is a skimmer dangerous?

A single skimmer is dangerous enough on its own because it enables a bad actor to collect personally identifiable information (PII) belonging to your customers — and you won’t know it until it’s too late. A quick Google search will bring forth numerous stories of large, well-known corporations discovering a skimmer on their payment pages weeks, and even months after a bad actor first injected the malware onto their website. Last fall, threat post reported that about 100 thousand online shoppers were impacted by a Magecart attack, wherein a payment-card skimmer infected close to 2000 eCommerce solutions. Threat post also reported last summer that the websites of eight North American cities fell victim to payment card-stealing Magecart skimmers; the point of entry in this case was a third party software that had previously experienced data breaches. Last fall, new variations of the point-of-sale Grelos skimmer malware were discovered targeting card details belonging to shoppers on dozens of hacked websites.

Let’s talk about the piggybacking incident; a.k.a., what makes this new variant of skimmers even more dangerous.

Question: What’s worse than one skimmer? Answer: Two skimmers

The obvious reason is that instead of a single bad actor stealing your customer data, you now have two, or several criminals exploiting the same vulnerability to gain access to your sensitive information. It simply increases the impact on your customers immeasurably. Rather than one individual selling your customers’ information on the dark web, you now have a whole group of criminals at your digital doorstep.

How it works in practice

Let’s think of this in a physical scenario. A criminal has placed a skimmer on an ATM machine in hopes of stealing credit and debit card information. Another criminal comes along, spots the skimmer, and connects his own data reading device to the existing skimmer. The first criminal has done the heavy lifting; now the second thief harvests the information for himself by hooking into the device — and now it’s double trouble.

Now, let’s imagine an online store that unfortunately contains vulnerabilities; along comes Bad Actor A, who exploits a weakness in the system and injects malware onto the site. Bad Actor B finds the same website, and upon his search, he not only discovers the weaknesses, but also the malware already stealing information from the site. Bad Actor B then injects his own code that interacts with the first malware and uses it to glean information.

Does this happen often?

While this is indeed a clever little play, we have to reiterate that this is not a common scenario, nor is it a widespread one. Because every piece of malware is unique, you cannot create a “piggybacking skimmer” that is automated. And because it’s not automated, it’s not very common. It’s simply not profitable for a criminal to spend time creating an automated malware that targets another specific malware, because that specific malware might change the very next day.

Bad actors generally utilize automated tools that search for weaknesses in websites. They can also manually “review” a website to determine whether “it’s worth” their time, and they are able to see whether malware is already present on the target site. If an attacker finds a shop that has already been exploited, and if the preexisting malware lines up with their own intentions, it’s a relatively easy move to “piggyback” on top of the first malware.

However, while it’s a fringe situation, it’s still a clever trick if a bad actor is willing to invest the time. This news story involving Costway simply illustrates not only the advancement in skimmer technology, but that malware is mutating and evolving, while their authors grow smarter and more creative.

How can merchants detect web skimmers (and different variants) on their eCommerce solution — quickly?

The easiest way to know immediately if someone breaks into your house is to install an alarm system. In a similar fashion, installing a security tool that scans your system and immediately alerts on an “intruder” will ensure you know when someone is trying to enter your (digital) house. Even if you believe that your eCommerce solution is completely secured, bad actors can stumble upon some very simple entry points, such as by guessing an easy admin password (admin123). A bad actor can gain entry without hacking the site in this case, and then insert malware on to your website.

While online criminals are getting smarter, we keep up with these trends, and we have a tool that can help you scan for exactly the types of incidents mentioned in this blog post. Lokte’s Data Breach Monitoring (DBM) tool would catch a crook using the easy-to-guess admin password against you. Our DBM tool is integrated into your website so that malware cannot hide, and it specifically alerts on requests to an unauthorized location, which includes supply-chain attacks, Magecart attacks, form-jacking, and skimming. Read more about our DBM tool here, and order it today (and get it up and running in just a few minutes). Bad actors could very well be scanning your eCommerce solution tonight, but our DBM tool could be standing guard, ready to alert on any suspicious activity.