If you think hardware credit card skimmers in brick-and-mortar payment terminals are bad enough, wait till you hear this. Physical card skimming's cyberspace equivalent has come of age and has been reportedly running rampant for months, quietly siphoning millions of online customers' credit card information and handing it over to cybercriminals.
In a recent blog post, de Groot detailed how hackers are exploiting vulnerabilities in popular retailing software found in most of the compromised merchants' online stores.
De Groot said he has been investigating the problem since November of last year when his own payment card information was stolen online. He then scanned a sample of 255,000 online stores and found 3,501 were already infected with skimming malware.
The list of compromised websites is troubling since it includes big labels and top brands, from car maker Audi, shoe outlets like Converse and Heels.com to music artist websites like Bjork's.
There are even credible reports that the web storefront of the National Republican Senatorial Committee had the credit card siphoning malware for almost six months before it was finally patched recently. If you have donated to the Republican campaign between March 2016 and earlier this month using this site, please check your credit card and banking statements for any fraudulent activity.
The question then is how did this siphoning malware go unnoticed for months on end?
The malware has also evolved to the point that some versions even check for popular payment plugins like PayPal instead of just scanning for checkout webpages.
"Today, at least 9 varieties and 3 distinct malware families can be identified," de Groot warned. This could mean that multiple individuals and cybercriminal gangs are involved.
De Groot said that it depends on the online merchant if they want to prevent such attacks and protect their customers but some are unwilling to take action due to software upgrade cost concerns.
"New cases could be stopped right away if store owners would upgrade their software regularly," he stated. "But this is costly and most merchants don't bother."
His other solutions shift the policing responsibilities to credit card companies since they can always revoke the payment license of merchants with vulnerable payment software.
He also suggested that web browsers add compromised sites to safe browsing blacklists such as Chrome's. With this inclusion in these lists, visitors will have to click through warning pages before they can access a compromised site's checkout page. He said that this will force merchants to quickly resolve their issues.
Merchants can check if their store is compromised by using MageReport. This site will check if Magento, a widely-used web shop software, is vulnerable to attacks. If infected, he recommends hiring a competent programmer to recover the hacked store and clean out any compromised website code.
For consumers, be careful when using any payment card online and regularly check the list of compromised websites we mentioned earlier. De Groot regularly updates this list with his latest scan results.
To read de Groot's findings about this scary hack, check out his official blog.