LAFAYETTE, La. (KLFY)- Scammers are now using a technique called “e-skimming” to steal credit card data from online shoppers. For years, scammers have used a small device on ATMs, gas pumps, and other terminals, to harvest credit card information.
Who’s running e-skimming schemes?
Many of the bad actors operate out of Eastern Europe. Some groups sell the stolen credit card data on the Web. At least one group has used a complex re-shipping scheme to make money, Browning said.
Browning said one scheme uses phony job postings in Russian language newspapers distributed in the United States. The pitch promises a way to make money by buying goods with stolen credit card data and shipping them to Eastern Europe so that the Magecart actors can sell the goods elsewhere for a profit.
“This is a lucrative and efficient way to intercept lots of valuable credit card numbers in a short period,” Browning said.
How does it work?
Typically, the scammers exploit weak links in a company’s e-commerce platform. In many cases, a consumer can be re-directed to a malicious domain where the skimming code can capture the customer’s information from the checkout page.
The skimming code would capture your information in real time and send it to remote server where the data is collected by the criminals behind the scene. The consumer’s credit card data would either be sold or used to make fraudulent purchases from that point going forward.
Experts say the stolen data can be found for sale on the Dark Web where it is acquired to create counterfeit cards, launch phishing attacks and commit other types of fraud.
In many cases, a security firm ends up notifying the retailer or other business that their site has been hacked. And much later, consumers may hear about big data breaches.
Given that the credit card or debit card information is stolen in real time, cyber criminals know they have a live card — not a number that’s already been cancelled.
“It shows that it’s a viable card and it has monetary value to it,” said Dave Lewis, global advisory chief information security officer at Ann Arbor-based Duo Security.
The value on the Dark Web could range from a few cents a card to $4 a credit card number, he said.
“They deal in hundreds of thousands of cards at a time,” Lewis said.
Lewis said he doesn’t find the latest twist surprising.
“This is the natural evolution of the attacker,” he said. “Nowadays, they understand these websites are processing millions of dollars in transactions.”
As technology has improved, this form of “skimming” has become less effective. Now, scammers are using a technique called “e-skimming” to steal credit card data online.
“You go to a website and it can be any website you go to purchase. You put in your information. Someone has already compromised that website,” Roddy Bergeron, with Enterprise Data Concepts, said. “They’ve got access to it, and they’ve inserted what we call a malicious code that captures your credit card information. Things that are supposed to be secure, and then, they can take that information and use it to make purchases.”
Here’s how e-skimming can happen: You’re shopping online on a reputable website. You put an item in your cart and check out. You enter your credit or debit card number to make your purchase, but the trick, what you don’t see is cyber criminals have hacked into the company’s server and planted malware on the site stealing your information.
“When the cyber criminals impact and access the web server and get this information, the consumer is not made aware of it until they have purchases that are unauthorized or the business that they were doing the online purchases with is aware, and then realized there’s a breach security and then notifies the customers,” Laurian Clause, with the Better Business Bureau of Acadiana, explained.
Bergeron said sometimes scammers will sell your credit or debit card information to people online through e-skimming.
“Sometimes an attacker will get admin credentials and be able to log into the website and have a code. Sometimes they find a bug on the website and they’re able to use that to get access to the website. That’s the bad part about e-skimming,” Bergeron said. “Everything looks like its secure. Everything looks like it’s legit. It’s someone you’ve always done business with, but there’s something going on. Some malicious actor has gotten access to that server and they’re stealing your information.”
Some tips from the BBB about how you can protect yourself from e-skimming:
- Keep a close eye on your bank and credit card statements regularly. If you notice any suspicious activity, call your bank or credit card company to report it.
- Experts advise you to make online purchases with a credit card. It’s easier to dispute charges made with your credit card.
- Consider using a virtual credit card. Some credit card copanies and banks offer virtual cards to their clients. These provide a unique credit card number to use when shopping online.
We don’t want our consumers to go into fear about how to use these websites or even making purchases,” Clause added. “It’s just arming yourself with knowledge that you just need to be careful.”
If you have a scam you’d like me to investigate, feel free to send me an email at firstname.lastname@example.org