Beware of Card Skimming This Holiday Shopping Season

Summary

The number of reported card skimming incidents increased 20 percent during the first half of 2023 compared to the same period in 2022. More specifically, New Jersey is one of several states with the most significant increases in skimming incidents, with at least a 50 percent year-over-year increase in incidents occurring during the first half of 2023. Based on this trend, the upcoming holiday shopping season means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various digital and physical realms, such as stores, restaurants, gas stations, and ATMs. Threat actors continue to seek out better methods to conceal their attacks and evade various security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, identity theft, fraud, and subsequent malicious activity.

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sell on dark web or other marketplaces. These attacks continue to be prevalent, with a new campaign observed abusing 404 error pages and targeting many large organizations in the retail and food industries. Manipulating the website’s default 404 error page to hide malicious code is one of the more advanced obfuscation techniques seen before and creates challenges for detection and mitigation. Similar to the recent uptick in Magecart attacks, the Kritec campaign is ramping up its activity in time for the holiday shopping season based on the number of newly registered domain names attributed to the threat actor. In this skimming campaign, threat actors create compelling customized templates in local languages that make detection difficult.

Card skimming is not just limited to online transactions. Threat actors can discretely install small card-reading devices in point-of-sale (POS) terminals to steal card information. These devices can be installed at stores, restaurants, and gas stations. This past year, the Walmart retailer has been a frequent target of card skimming at 16 different US locations. Also, skimming devices were found on two gas pumps at a Delaware BP gas station. Threat actors are also targeting ATMs and shifting in terminal types and locations of card compromises. Non-bank ATMs at convenience stores and gas stations are becoming more prevalent than bank ATMs. In September 2023, skimming devices were discovered at an ATM inside a Wawa convenience store in Cinnaminson, NJ and may have been installed for two months prior to its discovery.

Recommendations

The NJCCIC recommends organizations and users educate themselves and others on these continuing threats and tactics to reduce victimization. Website administrators are urged to use only vetted first-party code, ensure hardware and software are up to date, use a web application firewall (WAF) to block and alert for potential code injection attacks, block unauthorized transmission of personal data by implementing a Content Security Policy (CSP), and schedule routine website scans to identify changes in JavaScript code composition.

The NJCCIC recommends using credit cards over debit cards for purchases, as credit cards often have greater consumer protections that limit a victim’s liability if fraudulent purchases are made. Navigate directly to known, secure, and encrypted websites and designate/monitor one credit card for purchases, if possible. We highly encourage enabling multi-factor authentication (MFA) on every account that offers it, including any online shopping websites.

Before you use a POS device or ATM, check to see if the machine has been tampered with. Refrain from using a machine that looks damaged or loose—you can also tug around the keyboard to scan for an overlay. When you do use the machine, cover your pin as you enter it so an overhead camera cannot record you. Additionally, keep an eye on your card at all times (if possible), retain receipts, monitor account statements carefully, and notify the financial institution immediately of any discovered discrepancies. Furthermore, many financial institutions offer payment charge notifications for every transaction on an account. Enabling these notifications may make it more likely that a customer will notice a fraudulent transaction as soon as it occurs and can notify their bank.

If victimized, lock the affected card if this option is available, notify the financial institution immediately, and request a new payment card. Also, review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts.