E-skimming is a type of hack that involves the interception of payment card data and personal information through a deft exploitation of the often complex architecture of e-commerce sites.
Earlier this month, security researchers at Sucuri reported what could be a game changer in e-skimming attacks, one that exponentially expands our collective attackable surface of online businesses and customers alike-- hackers are more frequently targeting WooCommerce platforms.
The Macy's hack is probably the best known e-skimming hack. It targeted e-commerce platform Magento, which has about a reported 12 percent market share of e-commerce sites. Another e-commerce platform, WooCommerce, is used on twice as many sites-- reportedly about 26 percent of all e-commerce sites.
WooCommerce is both easy to use and install, which means that a user with little to no experience building websites--and even less knowledge of cybersecurity best practices--can use it to get an e-commerce site up and running with ease using it.
This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built quickly is a real matter for concern.
I see parallels with the early days of the Covid-19 pandemic; a relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims.
Like Covid-19 in January, the reported WooCommerce e-skimming hack is a nascent threat, but unlike the virus, you can prepare now for the threat and mitigate the potential damage.
A good place to start is for businesses and consumers to use a system I call the three Ms:
Minimize the Threat
Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don't have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them.
Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data.
Keep track of your bank and credit card accounts to know as quickly as possible when something isn't right. The most effective way to do this is to sign up for transaction monitoring--offered for free by banks, credit unions and credit card companies-- which notifies you of any activity in your credit or bank accounts. This applies to both business owners who should keep a watchful eye on their merchant accounts for abnormalities as well as their customers.
Manage the Damage
If your business falls prey to an e-skimming campaign, it's crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.
Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-commerce for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread.
Businesses and consumers alike can help flatten the curve when it comes to this malware. Monitoring for trouble, maintaining good cyber hygiene, and paying close attention to digital security offer our best shot at mitigating the spread of malware targeting e-commerce sites.