Card Skimming: What It Is and How to Prevent It

Online credit card theft has become a major security concern for the whole eCommerce industry, with card skimming malware targeting all leading website-building platforms. Initially discovered on Magento stores, credit card skimmers have quickly evolved, making WordPress websites a primary target.

Studies have shown that over 60% of all card skimmers targeted WooCommerce websites in 2022. This percentage is expected to grow in the upcoming years as WordPress increases its market share in the eCommerce industry.

Whether you are an eCommerce website owner or a frequent online shopper, credit card skimming is definitely something you should be aware of. In this guide, Solid is taking a deep dive into card skimming, exploring the nature of online credit card theft and its detrimental effects on the whole eCommerce industry.

You will learn how card skimmers are planted on eCommerce websites, how they steal critical payment information, and what to do if you suspect that your online store has been infected with this type of malicious software. Solid will also provide you a step-by-step guide on how to secure your WooCommerce website from online credit card theft to offer a safe shopping experience, especially during the holiday season.

What is Card Skimming and Why Should You Be Concerned?

Card skimming is a type of online credit card theft aimed at obtaining critical payment information through running malicious software, known as a card skimmer, on an online store. Card skimmers are injected into an eCommerce website to steal the credit or debit card information customers enter on the checkout page. This credit card information is then used to purchase high-ticket goods that are often sold on auction sites, Craigslist, or any other way to turn hard goods into cash.

Card skimming originates in the ‘offline’ world, as criminals would attack special devices on ATM machines to steal card details, including the card number and PIN code. Although this criminal activity still remains an active threat, the rise of eCommerce has made it much easier for criminals to perform credit card skimming online.

If you shop online, you should be aware of how card skimming works and how to protect yourself from this type of criminal activity. If you are an eCommerce website owner, the importance of knowing the nature of card skimming malware is even higher, as you are now entrusted with keeping your customers’ sensitive information secure and providing a safe shopping experience.

Why is Online Payment Fraud So Detrimental to Ecommerce?

The rapid growth of the eCommerce industry has prompted the emergence of online payment fraud and new ways of stealing critical payment information. The typical cycle of online payment fraud begins with credit card theft, continues with performing carding attacks to validate the stolen card details, and ends with malicious actors making unauthorized transactions on behalf of the cardholder.

Of all types of cyber security threats in the eCommerce industry, card skimming and carding attacks remain the most detrimental. Causing financial losses and reputational damage to all parties involved, credit card theft leads to the disruption of the balanced state of the whole eCommerce industry and payment ecosystem.

Legal Implications of a Data Breach as A Result of Card Skimming

Card skimming malware facilitates a data breach, exposing sensitive payment information to a hacker. Incidents of this kind have significant consequences for any eCommerce business, most of which have serious long-term effects.

Financial and reputational damage is almost inevitable as a business recovers from a malicious infection. As a serious violation of Payment Card Industry Data Security Standards (PCI-DSS) compliance, credit card theft can lead to businesses facing fines or even permanent expulsion from card acceptance programs. Businesses affected by credit card theft must notify the relevant credit card providers as well as card holders and law enforcement.

In 2020, Warner Music Group was targeted by credit card skimmers. Although it was not revealed how many customers were affected, the company confirmed that critical payment information had been stolen and could have been used for fraudulent transactions.

Dealing with online payment fraud and minimizing its negative impact on online shopping has become a collaborative effort for businesses and payment processing systems. Still, there is no ultimate solution when it comes to cyber security, as even large corporations and marketplaces have suffered the consequences of massive data breaches. Small businesses looking to increase margins through eCommerce solutions are even more attractive to malicious attackers as they often have even less defenses in place than medium or large organizations. Unfortunately, no one is immune, and we all require constant vigilance against these attacks.

From Magento to WooCommerce: The Evolution of Card Skimming

As a type of malicious software, credit card skimmers trace their origin back to the emergence of the leading eCommerce website-building platforms and their increasing popularity.

It is clear that card skimmers have existed for at least as long as online shopping has, but it’s believed that the rise of this malware can be attributed to the rapid growth of Magento – one of the first open-source, purpose-built eCommerce platforms that has then received extensive attention.

One of the first known credit card skimmers – MageCart – originates around 2014 and has derived its name from the Magento eCommerce platform, which at the time was the main target of card skimming attacks. The growing popularity of other platforms such as Prestashop, OpenCart, and – ultimately – WooCommerce has prompted the evolution of credit card skimming malware.

According to research conducted by Sucuri, as of 2021, WordPress has overtaken Magento in the total number of detected credit card skimmers. In 2022, around one-fourth of the top one million eCommerce websites are powered by WooCommerce, Built With reveals. And as this percentage is expected to grow, so is the number of card skimmer malware targeting the WordPress ecosystem.

How Do Card Skimmers Steal Payment Information? JavaScript and PHP-based Malware

As with any other dynamic web application, an eCommerce website will have both PHP and JavaScript code loaded to provide a seamless shopping experience. In simple words, JavaScript code executes in the website visitor’s browser without regenerating the whole web page.

Card skimmers steal critical payment information in one of two ways – with malicious code running on the server side or the user’s browser. This makes all credit card skimmers fall into just two groups – PHP and JavaScript-based malware. Due to the nature of JavaScript card malware, using it to steal sensitive user information is often referred to as JavaScript sniffing.

Regardless of how exactly credit card or debit card details are stolen from an unsuspecting eCommerce customer, the payment information entered on the checkout page will be sent to the hacker’s exfiltration domain in the process commonly known as data exfiltration. Whether the credit card skimmer runs in the user’s browser or in the back-end defines how exactly this will happen.

JavaScript-based Card Skimmers

Most of the time, JavaScript-based card skimmers will be injected into the database, loading malicious code from a fraudulent website a hacker creates prior to launching an attack. One of the common ways this can be achieved is by using Widgets from the admin dashboard in WordPress and miscellaneous scripts in Magento.

On WooCommerce stores, malicious card-skimming JavaScript code is often loaded from the wp_options or wp_posts tables of the WordPress database. If a Magento website falls victim to this type of cyber attack, card skimmers are commonly injected into the core_config_table.

It is not uncommon, however, to see malicious code added to the files that make up the WooCommerce functionality or are part of other WordPress plugins or themes. The main goal is to disguise the malicious code added as legitimate to avoid detection.

As JavaScript-based credit card skimmers execute in the victim’s browser and display within the website’s source code, they can be detected by antivirus software, browser extensions, and external site checkers. This is not the case with PHP-based card skimming malware, which, however, is less widespread.

PHP-based Card Skimmers

Despite the fact that PHP-based card skimmers are less common, a large amount of new PHP malware created is credit card skimming malware. This type of malware works in the backend of an eCommerce website and uses functions such as cURL to exfiltrate stolen credit card details.

Operating on the backend makes PHP-based credit card skimmers undetectable by any antivirus software, rendering them invisible to the victim’s browser or external site checkers. This, combined with the fact that malware involving credit card theft tends to be well hidden, makes it much more difficult to spot and remove.

Hackers know that the integrity of WordPress core files can be easily verified and monitored, thus making any malware easily detectable. PHP-based credit card skimmers are often injected into a website’s plugin or extension files or are added by creating a fake plugin, a folder within the plugins folder of wp-content.

How do Card Skimmers End Up on Ecommerce Websites?

As with any other type of malware, credit card skimmers end up on eCommerce websites as a result of unauthorized access. Wondering how websites get hacked? Hackers can use various methods to gain access to any website, with brute-force attacks and vulnerability exploitation accounting for the vast majority of successful compromises.

Small online stores often overlook the critical factors of cyber security, thinking that only making high profits could possibly spark an interest in a hacker, enough to make a website an active target. The truth is hackers often do not choose what websites to attack.

Most cyber attacks are highly automated and span across thousands of websites. Using a network of bots allows a hacker to target as many websites at once as possible, often prioritizing quantity over quality. Determining the type of website and the content management system used helps attacks decide what kind of vulnerability to exploit and the type of malware to inject.

All Magento websites will be handling payment information, while only a subset of WordPress-based websites will be using WooCommerce. With some additional effort, however, it is easy to determine whether a website is an online store based on the presence of web pages such as cart or checkout. Attackers can easily automate bots to check for the presence of both eCommerce functionality as well as potential vulnerabilities.

What Level of Access Is Required to Inject a Card Skimmer?

To inject code that works as a card skimmer, whether JavaScript or PHP, all an attacker needs is an entry point. This could be any number of things, including an easily guessable password, a password that was reused on another site that ended up in a data breach dump, or a convenient vulnerability in a plugin, theme, or even WordPress core.

As well, some unknowing site owners will install additional WordPress sites in their hosting account. These additional sites, if left unsecured or not updated, can cross-contaminate any other site within the hosting account that is using the same server-based user as the vulnerable site.

These seemingly innocuous errors can have grave consequences when an attacker adds a card skimmer to an eCommerce storefront.

Attackers can either add the malicious card skimming code to the site’s files, database, or even add a link that calls the code into the checkout pages from an external site hosted elsewhere.

To maintain control over the compromised website, the attacker would also inject backdoors – malware intended to provide unauthorized admin access to a website bypassing normal authentication methods.

Early Signs a Card Skimmer is Injected Into Your Website

Credit card skimmers are often difficult to detect. However, as with any other type of malware, it will eventually be identified as you see some common signs of a website compromise. Website visitors will report seeing security warnings from their antivirus software or browser extensions, with Google stepping in by putting the ‘Deceptive Site Ahead‘ warning. However, at this point, it might be too late.

Identifying early warning signs that will give away the compromise is often overlooked by most business owners and even disregarded by their IT teams and hosting providers. Remember that any change to the way your website functions or any changes made to website files, file permissions, or database tables deserve immediate attention.

The faster you can detect the malicious intrusion into your site, the faster you can mitigate the problem and reduce its impact. The impact of a card skimmer on a site for 3 hours is much less than three days. As such, an early warning system is critical for reducing the legal ramifications of a breach.

Detect Credit Card Theft Early With Solid Security Pro

It is estimated that a data breach can take an average of 200 days to discover, so relying on such indicators is more of a reactive approach, which has proven unviable, especially when it comes to eCommerce. Security hardening, active monitoring, and timely vulnerability patching are the golden standards of modern cyber security approaches.

Using Solid Security Pro helps you be alerted of any suspicious activity happening on your website by using advanced file integrity monitoring and on-the-clock vulnerability scanning. The Version Management feature allows you to leverage automatic WordPress core, theme, and plugin updates to avoid dealing with the detrimental consequences of active vulnerability exploits.

How to Detect a Card Skimmer on Your Ecommerce Website in 3 Steps

As the ultimate goal hackers keep in mind when injecting card skimmers is going undetected for as long as possible, card skimming malware can often be disguised as legitimate code. Follow the three steps below to locate a card skimmer on your website.

If you are running an eCommerce website, the probability that a card skimmer will be injected into the store’s checkout page in the event of a compromise is extremely high. Suspending any payment processing until more information is available is the best way to mitigate the ongoing attack before making any malware remediation attempts.

Step 1. Check Your Website’s Checkout for Any Suspicious Resources Loaded

As most credit card skimmers are JavaScript-based, they will be detected by the browser and external site checking tools such as Google Search Console or Sucuri Site Check. Most of the time, card skimming malware will only be loaded on the checkout page or any URLs that contain certain strings such as order, cart, or account. That being said, card skimming software has been found in numerous places on sites, including footer files, header files, or theme function files.

Examine the source code of the checkout page manually to see if any suspicious JavaScript files are loaded from sketchy resources. This code may be obfuscated to be difficult to understand, or it could be referring to another website that is unfamiliar. The source code will also show any malicious JavaScript code injected into the website files directly. As the process can take a lot of time and effort, you can turn to site-checking tools for assistance or try scanning your website’s database directly.

Using database management software like phpMyAdmin, you can search your database tables with a certain string. For WordPress, those would be the wp_options and wp_posts table, while on Magento websites malicious JavaScript files are most likely to be injected into the core_config_data table.

Although some credit card skimmers can load without script tags, most will still be embedded into the web page the traditional way. You can use the following to search the database tables:

%script%src=%.js%script%

If you are unsure if a certain JavaScript file poses a security threat, use VirusTotal to see if any security vendors consider it malicious. If you have not found anything suspicious loading on the checkout page, it is possible that the card skimmer injected in PHP-based or the hacker did a great job disguising the malware as legitimate code.

Step 2. Scan Your Website For Malware

Running a malware scan to analyze website files using known malware signatures is extremely helpful when dealing with an ongoing infection. Although modern malware scans can help you identify most malicious code, if the hacker did not use heavy obfuscation, there is a chance that the credit card skimmer injected will be missed. Your hosting account provider can often be a great source of truth for malware scanning using the latest malware detection capabilities.

Step 3. Examine Recently Modified Files

If not loaded from fraudulent websites, card-skimming malware can be injected into your website’s files, including theme, plugins, or extensions data. Examine your website’s scripts, sort them by modification dates, and compare their contents with what is expected to be there.

Heavy code obfuscation is something to look for when scanning your website files for malware manually. Card skimmers will often have the atob() JavaScript function used to decode data, which is commonly used by this type of malware. PHP-based card stealers often take advantage of base64_decode() and base64_encode().

This, however, is often helpful only at the initial stages of the website compromise. When malware infections are left unresolved for some time, malicious file modifications will be much more difficult to spot due plugin and theme updates, content uploads, and other maintenance activity.

Solid Security Pro monitors all file changes and will notify you if there is any suspicious activity involving adding and removing files, or modifying any data. The File Change Detection feature will also verify no malicious code has been injected into the WordPress core, theme, and plugin files by comparing their contents with those from WordPress.org.

Malware will often have non-standard file permissions, which can also help detect card skimmers. The File Permission Check feature will help you identify any anomalies and verify whether permissions are configured correctly.

Recovering From Card Skimming Malware

The process of removing credit card skimming malware is no different from cleaning a hacked website of any kind. It includes the following key steps:

• Remove the malicious code identified, including any backdoors that will allow the hacker to reinfect your website if left unchecked.
• Examine all admin accounts and change all access point passwords to avoid unauthorized access.
• Update all software used to the latest version and remove any plugins or extensions installed from unverified sources.

Restoring from a clean backup could be the best course of action when dealing with a recent hack, especially if the card-skimming malware was injected into the website’s files as opposed to the database tables. Of course, if going this route, it makes sense to review your site’s log files to determine the source of intrusion so that you can make changes to either change affected passwords, patch vulnerabilities, or rectify any other intrusion points.

How to Secure Your Online Store and Prevent Card Skimming in 5 Steps

When it comes to eCommerce, website security is of utmost importance. Keeping your website protected from card skimmers and other destructive malware starts with a proactive approach to reducing the attack surface.

More specifically, honoring the principle of least privilege and performing regular updates and vulnerability patching. Here are the five key steps you need to take to radically reduce the chances of any malware making its way to your eCommerce store.

Step 1. Choose PCI-Compliant Hosting

Businesses that accept, process, or store credit card information must maintain a secure environment by subjecting to a set of strict security standards known as PCI DSS. If you accept payments via credit cards, PCI compliance is not optional; it is mandatory.

Choosing PCI-compliant hosting helps you as a business owner comply with the strict Payment Card Industry Data Security Standards (PCI DSS). PCI-compliant hosts take the steps necessary to meet the security standards for their server infrastructure.

This does not, however, mean that your online store will instantly become PCI-compliant. Many PCI DSS compliance standards fall directly onto you and must be followed to ensure full compliance of your eCommerce website.

Compliance and the server environment’s security must constantly be monitored and, when necessary, improved in your policies and procedures. Liquid Web and Nexcess offer PCI-compliant hosting optimized for WooCommerce, with regular vulnerability scanning and malware monitoring.

Step 2. Keep Your Website Software Updated

Configure automatic WordPress core, theme, and plugin updates to install the latest security releases before the identified vulnerabilities can be exploited on your website. Solid Security Pro can help you with that, so you do not need to update any software manually.

Solid Central can help you manage multiple websites from one dashboard, taking advantage of the Version Management feature Solid Security Pro offers. Leverage advanced uptime monitoring and key SEO metrics tracking with your personal website assistant.

Step 3. Use Multi-factor Authentication

Passwords are broken. Password-based authentication makes a shared secret the only piece of information that a hacker needs to obtain to successfully impersonate you. Moreover, most backdoors allow an attacker to bypass authentication completely and reinfect the website again, even if you change all passwords for admin accounts.

Even if you still have a backdoor left from a previous compromise, enforcing multi-factor authentication and using other ways of securing your website administration dashboard will not allow the hacker to gain unauthorized access again.

Solid Security Pro allows you to configure 2-factor authentication or even passwordless, passkeys-based authentication for your WooCommerce online store. Without access to the WordPress dashboard, hackers are much less likely to inject JavaScript-based card-skimming malware into your eCommerce website.

Step 4. Create a Backup Strategy

A good backup strategy is absolutely essential, especially for online stores. Make sure your website is regularly backed up and at least a few copies of it are stored securely at a remote location to ensure data redundancy.

Solid Backups is the leading WordPress data protection and recovery solution that over a million WordPress and WooCommerce website owners take advantage of on a daily basis. With flexible backup schedules, remote backup storage locations, and one-click updates, you can rest assured that your website is protected from failed updates, data loss, or any other unfortunate events, including malware infections.

Step 5. Ensure Your Hosting Environment Offers Full User Isolation

Analyze your hosting environment and make sure you are protected from cross-account symlink attacks exploiting poor user isolation and insecure file permissions. This is especially important if you are running your own virtual or dedicated server.

Cross-account symlink attacks leverage the use of symbolic links in order to get access to sensitive files located on other websites on the same server. Symlink hacks can lead to the hacker gaining access to all websites on the chosen server unless Linux users are fully isolated from one another.

To address the critical vulnerability, consider installing the KernelCare free symlink patch or using a more robust solution such as CageFS offered by CloudLinux.

Wrapping Up

Online credit card skimming is one of the most damaging malware attacks targeting eCommerce websites. Stealing critical payment information from the checkout, card skimming malware sends the data received to the attacker’s website, allowing them to sell the card details on the dark web.

First found on Magento websites, credit card skimming malware, commonly known as MageCart, has quickly evolved, making WooCommerce the primary target. Modern card skimmers are easy to inject and difficult to detect, making the data breach not obvious to the website owner for some time.

Keeping the critical areas of your eCommerce website, such as the admin panel, and employing file integrity monitoring and timely vulnerability patching is key to preventing this malware from entering your online store. Solid Security Pro and Solid Backups can help you harden your website security and create a great backup strategy to withstand the most sophisticated cyber attacks and keep your customers safe.