Web skimming is a type of cyberattack in which malicious scripts are embedded in a website in order to steal credit card information and personal data entered by users. The payment forms on ecommerce sites are often targeted, and there have been numerous reported incidents in Japan where users’ information was stolen without their knowledge.
Unauthorized access and data breaches targeting ecommerce sites have become a major security concern for businesses, making the implementation of secure payment systems essential.
This article will provide an accessible overview of web skimming—covering how it works, its underlying causes, effective countermeasures, and relevant case studies from Japan.
What’s in this article?
- What is web skimming?
- How web skimming works
- Risk factors for web skimming
- Web skimming countermeasures
- Examples of web skimming in Japan
- How Stripe Radar can help
What is web skimming?
Web skimming is a type of cyberattack in which malicious code is embedded in a website to steal information entered by users.
Despite the presence of this malicious code, the website’s payment page and input forms appear to be genuine. As a result, users are unaware of the change and enter their credit card information and personal details on the site as usual. However, there is a risk of this information being secretly transmitted to the attacker.
Web skimming incidents
There have been numerous reports of credit card information being compromised or leaked due to unauthorized access to ecommerce sites.
In March 2022, the Personal Information Protection Commission conducted a survey about unauthorized access to ecommerce sites. The results showed that for sites that had suffered unauthorized access, credit card information was leaked in 93% of cases, and fraudulent use of credit cards occurred in 77% of cases. Approximately 80% of businesses temporarily suspended operation of their ecommerce sites as a result of the unauthorized access.
Thus, web skimming and other cyber attacks can have a significant impact on business operations. It can lead not only to the leak of customer information, but also to the suspension of ecommerce operations and damage to a company’s reputation.
Differences from skimming
“Skimming” is a concept similar to web skimming. The main differences between skimming and web skimming are as follows:
|
Skimming |
Web skimming |
|
|---|---|---|
|
Vulnerable locations |
ATMs and card readers |
Websites |
|
Attack methods |
Card information is read using a specialized device |
Input information is stolen using malicious script |
|
Frequent targets |
Card magnetic stripe data |
Credit card information and personal data |
Skimming is a criminal act involving the unauthorized reading of a credit card’s magnetic stripe data and other information. A common method involves attaching a device to an ATM or card reader to steal card information.
Web skimming, on the other hand, is an attack carried out over the internet; it involves embedding malicious script or code into websites to steal data entered by users.
How web skimming works
In web skimming, malicious code or script embedded in the website is used to transmit information entered by users to external parties. Attackers use various methods to compromise websites and external services, creating the conditions needed to access user input.
The typical process of web skimming is as follows:
- An attacker tampers with a website or external service and embeds a malicious script.
- A user enters credit card information or personal data into a payment form or similar.
- The script captures the information that has been entered.
- This acquired information is sent to the attacker’s server.
Even though the script is embedded in the site, the visual appearance of the site remains unchanged; consequently, users enter their credit card and personal information under the assumption that they’re using the website as usual.
As this illustrates, web skimming schemes are extremely sophisticated; there are many cases where months pass without either users or businesses realizing that a breach has occurred. It’s therefore incumbent upon business operators to eliminate potential vulnerabilities that could make them targets for web skimming and to implement robust countermeasures.
Risk factors for web skimming
Web skimming occurs when attackers exploit vulnerabilities such as weaknesses in websites, tampering with external services, or insufficient ecommerce site security.
Website vulnerabilities
One of the contributing factors to web skimming is website vulnerabilities. If there are security vulnerabilities in a content management system (CMS) or the development suite used for the ecommerce site, there is a higher risk that the site could be compromised by attackers.
For example, cyberattacks—such as SQL injection (an attack that sends malicious commands to a website’s database)—can result in malicious scripts being embedded in a website.
Websites become more vulnerable to attacks if software updates have not been applied or if outdated versions of plugins are being used.
Compromised external services or scripts
If scripts on external services are tampered with, web skimming attacks can occur even if the website itself has not been compromised.
Ecommerce sites use a wide variety of external scripts, including analytics tools, chat functions, and payment services. If these external scripts are compromised, there is a risk that information entered by users could be sent to attackers.
This type of attack could also affect a large number of other sites that use the same external service.
Inadequate security measures
If proper security measures and management systems haven’t been put in place, the risk of unauthorized access or data tampering increases.
For example, insufficient access restrictions to the admin portal or inadequate password management can lead to unauthorized access.
If security monitoring and vulnerability audits are inadequate, malicious scripts that have been embedded may go undetected for a long time.
Web skimming countermeasures
To combat web skimming, it’s important to address website vulnerabilities, manage external scripts, and conduct security monitoring. It’s also a good idea to implement a system to prevent fraudulent payment, in case card information is actually stolen from your site.
|
Countermeasure |
Details |
|---|---|
|
Software updates |
Keep CMSs, ecommerce site development tools, and plugins up-to-date, and fix known vulnerabilities. |
|
External script management |
Verify the usage status of external services and JavaScript, and load only trusted scripts. |
|
Admin portal access management |
Prevent unauthorized access by implementing strong password requirements, access restrictions, and multifactor authentication. |
|
Site monitoring |
Monitor for website tampering and suspicious network traffic to detect anomalies early. |
|
Implement a system where the ecommerce site does not store credit card information, thereby reducing the risk of data breaches. |
|
|
Use of fraud protection measures |
Implement fraud protection measures such as a fraud detection system and 3D Secure 2 (3DS2). |
Web skimming is an attack that exploits the vulnerabilities in websites or weaknesses in their administration systems. Continuously updating software, properly managing external scripts, and monitoring security can help prevent incidents from occurring or escalating.
For example, implementing 3D Secure 2 (3DS2) can help reduce the risk that credit card information stolen through web skimming or similar methods is used for fraud.
Examples of web skimming in Japan
Actual cases of web skimming have been reported on Japanese ecommerce sites.
In 2023, a suspect was arrested for allegedly installing malware designed to steal card information on the server of a Japanese music group’s official online store, thereby illegally obtaining credit card information. According to media reports, the suspect is believed to have obtained the information for about 500 credit cards.
As this case illustrates, web skimming occurs when legitimate ecommerce sites are compromised, making it difficult for users to detect the attack. This shows the need for ecommerce site operators to continuously implement security measures such as software updates, management of external scripts, and site monitoring.
How Stripe Radar can help
Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.
Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.
Radar can help your business:
Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.
Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.
Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.
Learn more about Stripe Radar, or get started today.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accurateness, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent attorney or accountant licensed to practice in your jurisdiction for advice on your particular situation.