Woman using smartphone for online shopping showing credit card skimmer on online shops

Europol Notifies Over 400 Online Shops of Credit Card Skimmer Infections

Europol and national law enforcement authorities in 17 countries have notified over 400 online shops of credit card skimmer infections exposing customers’ credit card information.

Greece spearheaded the two-month Digital Skimming Action operation in collaboration with threat intelligence firms Group-IB and Sansec, with the support of the European Union Agency for Cybersecurity (ENISA).

The crackdown was part of the European Multidisciplinary Platform Against Criminal Threats (EMPACT) campaign targeting organized crime.

During the operation, Europol notified 443 merchants that their ecommerce platforms were compromised via digital skimming attacks leaking customers’ payment data.

“With the support of national Computer Security Incident Response Teams (CSIRT), the two-month action has enabled Europol and its partners to notify 443 online merchants that their customers’ credit card or payment card data had been compromised,” said Europol.

Europol detects 23 JavaScript skimmer variants on hundreds of online shops

The campaign collected crucial intelligence information including malware signatures, attackers’ domains, infected websites, and the origin of the malicious scripts. This information would help security researchers understand the scope of the campaign and potentially prevent future digital skimming attacks.

The operation detected 23 JavaScript skimmer variants, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin. Group-IB has identified 132 digital skimmer families by the end of 2023.

The attackers injected malicious JavaScript code on checkout pages of legitimate websites to harvest payment details from unsuspecting customers. Once successfully deployed, the skimmer extracts customer payment data including credit card numbers, expiration dates, verification numbers, names, and shipping addresses.

The attackers monetize the stolen payment data for illegal transactions or by selling it to other threat actors on the Dark Web. A stolen credit card costs between $17-$120 depending depending on its origin and balance, according to The Dark Web Price Index 2022.

According to the researchers, the injected skimmer employs various evasion tactics, including mimicking legitimate JavaScript code such as Google Tag Manager and Google Analytics.

“Digital skimming attacks can often result from a company’s use of tag management systems to add functionality and heighten the user experience by going around established change control processes,” said Pedro Fortuna, CTO and Co-Founder at Jscrambler. “Many would think of these third-party tags as the culprit, with the answer being their removal. However, this is not a realistic way for security to approach this challenge as it threatens business continuity.”

Fortuna advised online shops to balance protection and operation by deploying the “right client-side protections that can control third-party JavaScript based on behavior.”

Europol warned that digital skimming attacks on online shops could go undetected for long, impacting millions of customers.

Additionally, the victims are usually unaware that their payment details were compromised until cybercriminals abuse them for fraud, and cannot easily determine the point of compromise.

The participating authorities received training to identify JS-sniffers and understand their impact, and assisted impacted online shops to remove the digital skimmer payloads from their websites.

Credit card sniffing is a multi-billion dollar industry

Credit card issuers and online shops lose tens of billions annually via fraud and chargebacks when fraudsters use stolen cards to make purchases. When cybercriminals use stolen credit/debit cards, legitimate card owners notify their issuing bank, resulting in merchant chargeback.

According to the Federal Trade Commission (FTC), credit card theft is the most prevalent type of identity theft, with up to 10% of Americans falling victims.

Unsurprisingly, the malicious campaign coincided with the holiday shopping season when online shops record the most buyer activity. Consumer credit reporting agency TransUnion had predicted an 11.6% increase in digital fraud in the US, compared to a 49.6% global decline in 2023.