With hundreds of millions of people sheltering in place and quarantining around the world due to the novel coronavirus pandemic, and many brick-and-mortar stores temporarily closed, online shopping has become even more of a lifeline. As consumers ramp up their online spending, though, the criminals who hack websites to digitally “skim” credit card numbers are having a field day.
Digital skimmers—malicious code that hackers inject into legitimate websites to grab payment data—already posed a potential risk to online shoppers long before the Covid-19 crisis. But just as scamming activity spikes during peak shopping times like Black Friday, the pandemic creates prime conditions for more attacks—especially because companies are distracted and adapting to remote work. Yonathan Klijnsma, head of threat research at the security firm RiskIQ, says the company has detected a 20 percent increase in online skimming activity in March compared to February.
“Ecommerce crime spikes whenever there is an event that forces or entices people to perform more online transactions,” Klijnsma says. “As we’re now all isolating ourselves and homebound, it means online purchases will spike and makes it a prime time for criminals.”
Two recent high-profile victims hint at that flurry of activity. Researchers from the security firm Malwarebytes published findings last week about criminal code they had spotted embedded in the website of food storage company Tupperware. Attackers had exploited vulnerabilities in the site to inject their malicious module, which then siphoned off credit card numbers and other data as consumers filled out payment forms to complete purchases. A week before that, RiskIQ revealed a similar attack on the blender company NutriBullet, which the firm attributed to the notorious digital skimming group Magecart.
RiskIQ first observed the NutriBullet attack at the end of February, but couldn’t get in touch with the blender maker. So the researchers coordinated with other internet watchdogs to take down the malicious infrastructure behind the skimming on March 1. Since NutriBullet hadn’t fixed the website flaws the hackers used to get their foothold, though, Magecart established a new skimming operation on the site on March 5. Days later, RiskIQ says NutriBullet finally seemed to plug its website vulnerabilities and stop the skimmer, but Nutribullet’s unresponsiveness made the whole process slow and disjointed.
Tupperware proved similarly difficult for Malwarebytes to contact. While some of this can be chalked up to the normal challenges of disclosing security issues to companies, Malwarebytes’ head of threat intelligence, Jérôme Segura, points out that the pandemic may be creating challenges and distractions that make it even harder for companies to react to security incidents.
“One thing that maybe is a side effect of what’s happening right now is that the number of people who are available to look at a website issue at companies is reduced,” Segura says. “One person I spoke to at Tupperware got upset with me and said basically, ‘I don’t know what to do about what you’re asking me right now. Everybody is working from home, it’s a difficult time.’ And I said ‘I completely understand, but you need to fix this.’”
Malwarebytes first attempted to notify Tupperware on March 20. The company appeared to remove the malicious skimmer from its site on March 25, the day Malwarebytes published its findings.
“Tupperware recently became aware of a potential security incident involving unauthorized code on our US and Canadian ecommerce sites,” the company said in a statement. “As a result, we promptly launched an investigation, took steps to remove the unauthorized code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement. Our investigation is continuing, and it is too early to provide further details.”
Unlike RiskIQ, Malwarebytes hasn’t detected a significant increase in skimming attacks since the rise of the novel coronavirus, but Segura emphasizes that this is partly because the typical baseline for such attacks is already quite high. And he agrees that it’s particularly important right now for users to be mindful of the risk and take precautions.