Credit card-stealing malware is hiding in plain sight – don’t fall for it
Have you ever had to clean up the mess that comes with having your credit card or identity stolen? To say it’s a pain is a huge understatement. There are police reports to file, credit cards to cancel and replace, credit reports to freeze, and fraud alerts to place.
Nobody intentionally hands over their financial or personal info to cybercriminals, yet it happens all the time. From phishing emails to infected downloads, hackers know how to trick victims into accidentally giving away their data. Tap or click here to see how 2,000 online stores were compromised in one of the biggest e-commerce attacks in recent years.
And now, cybercriminals are hiding a new kind of malware in some really sneaky places online — and it’s nearly impossible to spot.
The new malware that steals your credit card info
You’ve heard of credit card skimmers, right? They’re sneaky devices criminals hide over (or in) gas pump credit card readers or even ATMs to “skim” your card info. Digital versions exist online, too.
A new one has been found hiding in social media sharing buttons — the icons you use to share a website, a post, you name it. After you click one of these buttons, the malicious code waits for you to type your credit card info into an online payment form.
This type of malware isn’t new, but it’s usually written into JavaScript. In contrast, by attaching it to images — in this case, SVG files — the code is easy to hide but very difficult to detect. You won’t know anything is wrong, and there’s a good chance your computer’s security software won’t, either.
Let’s say you click on a promoted post or an ad for an item you want. You head to the site and fill out the payment form. If the Magecart script is hidden in social media icons hosted on the site, there goes your credit card info.
Watch for phony gift cards, too
That’s not the only scam making the rounds. As we close in on the holidays, more online crooks are stealing gift cards. Some of the most sought-after are for retail giant Target.
To steal these gift cards, cybercriminals will lure you to sites to check your card balance. If you end up on one of these dummy sites, you’ll be asked to enter your gift card information. When you hit “Check my balance,” the info you entered will go right to the scammer. Plus, these sites use domain names that are similar to the real ones, making it difficult to spot the dupes.
My advice? If you’re going to check the balance on a gift card, go directly to the retail site and navigate to the gift card section from there. Don’t do a Google search, and don’t click on sites like TargetGiftCards(dot)com or WalmartGiftCards(dot)com.
Related: Scammers are targeting Facebook users and pet owners
How to protect yourself from this kind of malware
It’s tough to preempt this kind of attack because you can’t see it coming, and, in the case of the Magecart card skimmers, the code is truly hidden. The best thing you can do is to use secure payments online — and that doesn’t mean credit cards.
- Use PayPal, Venmo or Zelle to pay for your purchases. Instead of entering payment info on the site on which you’re shopping, you’ll be redirected to the PayPal or Venmo sites to complete the purchase. The payment will go straight from the payment platform to the recipient, keeping your payment information private and protected from skimmers. Tap or click here to find out more about peer-to-peer payment apps.
- Pay with a prepaid card. This keeps your bank and personal information private from the criminals behind the malware. You can only spend what’s on the prepaid card, and if you load it just for the amount of the purchase, there’s nothing left to steal.
- Use Google Pay or Apple Pay to make your purchases. Again, this adds another layer of protection. These virtual wallets are some of the most secure methods of payment, so consider opting for them instead of putting your payment information directly into a retailer’s online form. For more information on making safe payments online, tap or click here.
Stay on your cybersecurity game. Criminals are out in full force right now, and it’s up to you to keep your wallet safe — digital or not.
Tags: cybercriminals, cybersecurity, fraud, malware, phishing