If you’re a merchant with an e-commerce website, you undoubtedly accept credit and debit cards as payment. You may, like many online merchants, use a third party payment service to handle the credit cards, preventing the cards from going through your webserver. This setup can often give merchants a false sense of security, believing a breach of their webserver wouldn’t allow an attacker to steal credit card numbers. The truth is, however, attackers have a number of creative ways to steal credit cards from your website even if you are using an external payment service for accepting credit cards.
Indicators You May Have Been Breached
How does a card breach usually get on your radar? It’s often a number of different ways. It might be a call from a government or regulatory agency about data from your systems being sold on the dark web.
Sometimes a customer will call saying that they used their card on your site, and now they’ve had card fraud. When the you check the site for signs of a compromise, you don’t find anything and move on. However, just one of these complaints is usually a pretty good indicator of a problem. When a customer picks your site out, they’re often right.
Another way a card breach can come to a company’s attention is if a customer complains of a virus warning when visiting. Even if you don’t see a virus warning and your virus scan doesn’t pick up anything, do not dismiss it. Everybody uses different antivirus detection. Some desktop antivirus detectors are able to detect the possibility of a site pulling or pushing data to an untrusted site. This causes the virus warning.
The most common notification of a card breach is “common point purchase.” This is where the bank or credit card companies have noticed that cards used on your website were experiencing higher-than-average fraud. When a bank or card company flags your website as a common point purchase for this higher rate of fraud, they’re almost always correct.
How attackers breach server access
As a website owner, you may dismiss or accept the risk of seeming low-risk issues (such as missing patches, weak passwords, lack of hardening best practices and minimal logging) on your website because addressing these issues can take time and resources. However attackers often can chain these low-risk issues together to make a successful attack (in the ethical hacking community we call this “Low to Owned.”
For example, on a recent attack Sikich saw an attacker use a blind-SQL injection vulnerability to steal a partial shopkeeper password reset key from the ecommerce site database. The attacker used this to reset the password for a dormant account for a terminated employee. Using this account the attacker uploaded an product image file that had malicious code hidden in it. A missing patch allowed the attacker to then execute the code, and missing web server hardening settings allowed the attacker to use that code to upload a backdoor web shell to the server. This backdoor web shell gave the attacker control of the website.
The attack leaves few artifacts for your developers when they go to investigate, and the attacker uses obfuscation techniques making their backdoor very difficult to find.
How attackers steal credit cards
So the attacker has now breached your webserver. But they can’t steal credit cards, because the cards don’t go through the webserver, right? Wrong! Once the attacker has taken control of a webserver, they can change how the checkout process works. Common techniques include creating a fake payment page, inject client-side JavaScript code that scrapes card numbers in the browser, or even redirecting payments back through the compromised web server so that the card numbers can be stolen and recorded there.
It’s very possible nobody will notice these changes, which gives merchants a false sense of security while the attacker continues to steal card numbers for months.
Secure your e-commerce website
If you’re a merchant and you have an e-commerce website, you certainly have to buckle down server security probably more than you thought. Prevent unauthorized content management access. Look for pages that are changing without authorization. Set strong passwords and use multifactor authentication. Keep the site up-to-date with website software security patches. Don’t rely on consumers to notice that a link goes to a fake payment page. The burden upon security and providing a secure experience for your customers ultimately falls on you.
If you have any questions about your own e-commerce website security, please contact us at any time!
