PCI SS Council Identifies ‘Magecart’ As The Next Big Threat For Hotel Businesses

August 1, 2019 – The PCI security standards council (PCI SSC) and the Retail & Hospitality ISAC have released an immediate press release highlighting the emergence of a new financial threat for hospitality businesses. 

Online Skimming, is the new malicious cybervulnerability on the block threatening eCommerce websites with what are being called “sniffers” (or JavaScript sniffers). These as identified by the PCI-SSC and the ISAC have proved difficult to detect. 

Online skimming sniffers tend to infect websites with malicious code that then begins skimming payment card information during transactions, with both merchants and consumers unaware of what is happening.      

Security researchers have termed these hacker groups, Magecart. Online skimming has been actively conducted by cybercriminals since 2015 but used to be detectable by most popular security suites. These evolved versions have now evolved into a completely new malicious cyberweapon even used against international organizations. 

How Do Online Skimming Attacks Work 

Cybercriminals use various techniques to infiltrate eCommerce websites that include:

• Exploiting vulnerable plugins
• Brute force login attempts & credential stuffing 
• Phishing
• Social engineering techniques  

Irrespective of the technique, their primary aims ins infiltration and injecting the malicious code. Generally, cybercriminals attack eCommerce websites directly, or, inject code into a 3rd party software library that merchants rely on. 

Some examples of 3rd party apps that skimming attackers infiltrate include live chat plugins, customer rating apps, and advertising scripts (hello bars, widgets, etc.). Since one 3rd party app can be used over multiple websites, attackers can gain access to multiple websites by compromising a single domain. 

As soon as a buyer enters their payment information during checkout the malicious code is triggered. Once the JavaScript executes it silently collects a vast array of data including billing addresses, names, emails, phone numbers, credit card details, usernames, and passwords. 

How to Detect “MageCart” Online Skimming Attacks

Considering the damage this threat can cause to a hospitality business and its guests, the PCI SSC offers a clear roadmap to ensure detection of these attacks:

• Perform code reviews & identify potential coding vulnerabilities 
• Implement security vulnerability assessments and test web plug-ins & apps 
• Conduct comprehensive audits of logging, reviewing logs, and security events for the entire system to identify malicious code and activities
• Integrate file-integrity monitoring and change detection software suites 
• Perform internal and external network vulnerability tests & scans 
• Identify security weaknesses with “period penetration testing”

How to Prevent “MageCart” Online Skimming Attacks

Since the detection of “magecart” attacks is not very easy, it’s ideal to keep eCommerce websites and hospitality portals updates with all the latest security patches. Here is a list of PCI DSS recommended best practices to stop online skimming attacks from happening altogether:

• Disable unnecessary ports/services/functions and configure components securely in accordance with industry-accepted system hardening standards 
• Implement malware protection and keep up to date 
• Apply security patches for all software 
• Follow secure coding practices and perform code reviews 
• Restrict access to only what is absolutely needed and deny all other access by default
• Use strong authentication for all access to system components 
• Implement intrusion-detection and/or intrusion-prevention to detect and prevent intrusions 
• Conduct proper due diligence prior to engagement of third-party service providers and monitor service providers’ PCI DSS compliance status 
• Additional controls for hosting service providers to protect their customers’ hosted environments and data