During the busy holiday shopping season late last year, firearms maker American Outdoor Brands noticed a problem with one of its websites, which sells mostly hats, shirts, and accessories. The site was subject to an e-skimming attack, where a type of malware infected its checkout pages to steal payment and personal information of shoppers. The incident affected about 780 people.
Companies large and small have been hit by e-skimming attacks in the past two years, including Macy’s in October, Puma’s Australian website in April and Ticketmaster’s United Kingdom website in June 2018.
The FBI says e-skimming has been on its radar for nearly seven years but the crime is growing because cybercriminals are sharing the malware online and becoming more sophisticated.
“If you are a company that has a heavy volume of credit card numbers being inputted into your website, at that point, you’re probably at a higher risk,” said Herb Stapleton, section chief for the FBI’s cyber division. “Now one thing about those types of companies is often they have more resources to invest in cybersecurity measures. So as a result of that, even some lower-traffic companies, some smaller and medium-sized businesses, are still at risk because some of them may not have the resources to invest as heavily in their cybersecurity.”
The exact number of websites compromised is unknown, but Stapleton said millions of credit cards have been stolen, and that is just what is reported to the FBI. The true number is likely higher.
Unlike traditional skimming, the criminals behind the attack do not need physical access so they can be located anywhere in the world.