'Eskimming' is becoming a big enough problem that the FBI is releasing advisories on it. The Bureau’s Oregon office highlighted the issue in an edition of its Tech Tuesday advice this week. “This warning is specifically targeted to small and medium-sized businesses and government agencies that take credit card payments online,” it said. The FBI has also partnered with the Department of Homeland Security and the Secret Service to target eskimming criminals.
We’ve all heard of credit card skimming, where someone fits a hardware reader over an ATM machine or EPOS device. When you swipe your credit card, the skimmer reads its magnetic stripe and stores it for the attacker to retrieve later. The attacker can then use it to clone the card, which is still useful in areas that haven't widely adopted chip and pin technology.
Attackers have replicated this process online by injecting malicious code onto a website that captures your payment card details and/or your sensitive personal information. That’s eskimming.
“The bad actor may have gained access via a phishing attack targeting your employees – or through a vulnerable third-party vendor attached to your company’s server,” the FBI explained.
The eskimming problem has taken off thanks to several groups of ne'er-do-wells that target ecommerce sites. Many of its targets were built in online content management system Magento, but it also attacks many other payment platforms. One of these groups was also linked this week to the infamous Carbanak group, which targets banks.
The techniques used by these eskimming groups continue to evolve. For example, earlier this year Malwarebytes researcher Jérôme Segura noticed that eskimmers were injecting IFRAMEs directly into third-party payment frames to harvest credit card details. This means ecommerce sites using third-party payment systems aren’t safe either.
The advice in the Tech Tuesday Tips post was pretty basic: patch your software, use strong credentials, don't reuse passwords, and implement multi-factor authentication. It also warned companies to segment their networks.
In a one minute-long ‘podcast’ last week (it’s unlikely to make it to the iTunes top 10) the Bureau’s experts expanded a little. In addition to the above advice, Lieutenant Chu, acting assistant chief of the FBI’s cyber-engagement and intelligence section, warned companies to scan and monitor web applications for unauthorized access and conduct regular network penetration tests.
