Keeping consumers safe from web skimmers

Pedro Fortuna at Jscrambler explains how to stop web skimmers from exploiting e-commerce this holiday season

E-commerce has come to dominate the retail world in recent years. With yearly retail events like Black Friday causing as much traffic in 48 hours as the rest of the year, the internet has become the central hub of trade where transactions occur every second.

Core to this activity is JavaScript, the programming language that breathes life into modern websites. Roughly 99% of websites utilize JavaScript, and its versatility enables everything from simple data collection forms to complex web applications. 

However, this ubiquity comes with a price – a heightened risk of security breaches, especially data skimming attacks on payment pages. The risk is amplified when tag managers and third-party scripts, often used for enhanced functionality and user experience, lack proper oversight.

The threat of e-commerce attacks is especially prevalent during the busy holiday period. It’s estimated that UK shoppers will spend £24.1 billion online between November 1st and December 31st this year. With each of those transactions, there lies a chance that lurking cybercriminals are looking to steal customer data. 

So, as the e-commerce world faces the Christmas rush, what are the most important threats merchants should be aware of? And how can they mitigate these risks and protect their customers?

Hidden dangers of unmonitored scripts

The reliance on third-party tags and JavaScript in e-commerce is a double-edged sword when not properly monitored. While it enables dynamic and user-friendly websites, poorly secured JavaScript creates significant security risks. 

Unmonitored and outdated JavaScript elements can be exploited in code injection attacks that covertly place malicious code on the website. A vulnerable server can also be breached and the content of JavaScripts changed.

With the ability to have malicious code running on a website, attackers can do whatever they wish, from changing what the user sees to collecting data that is handled in the pages where the malicious code is running. For e-commerce websites, the biggest threat is web skimming, also known as e-skimming or Magecart attacks.

Threat actors typically target payment pages where customers enter personal and credit card details. The malicious code is designed to capture the information at entry and then transmit it to a server controlled by the attackers. 

Because they take place in the browser, these attacks can be very stealthy and remain active for months without being noticed, leaving the customer and the website owner with no idea data theft has occurred.

Indeed, when the victim is later hit by fraudulent activity using their stolen details, they will likely have no idea when and where the data leak occurred. This is especially true in the busy holiday period, where a shopper may rapidly visit a dozen different retailers. 

This security concern has not gone unnoticed. The Payment Card Industry Data Security Standard (PCI DSS) version 4.0, released in March 2022, is a testament to the growing recognition of these risks. The new version, which comes into effect on April 1, 2024, introduces 64 new requirements, and part of the new requirements focuses on safeguarding payment pages from web skimming. 

Two notable inclusions are Requirement 6.4.3, which mandates merchants must authorize and justify every script running on their payment pages, and Requirement 11.6.1, which calls for detecting and alerting of any unauthorized change that happens on any script and on the response headers, that may result in leaking of payment data. 

These requirements underscore the urgent need for e-commerce websites to gain visibility into and control over their third-party scripts, ensuring compliance and safeguarding against cardholder data leakage.

Why do third-party scripts increase the risk?

While any JavaScript can potentially be vulnerable to an integrity attack, third-party scripts are the ones that should be the primary focus of an e-commerce company. A significant number of third-party JavaScript is added to websites via marketing tools like tag managers to help companies track users, promote ads, and analyse usage to improve the web experience.

If there’s a marketing need, there’s a tag for it to fulfil that task, making it easy for e-commerce merchants to introduce an elevated level of risk to their website. It’s common to find websites adding large amounts of third-party scripts without considering what level of data access each script exhibits. With added business pressure to grow, more third-party scripts are being added to websites all the time, making more conscious third-party security practices essential.

Some websites have more than one hundred third-party scripts on their payment pages. Since a single compromised script can be enough to facilitate a web skimming attack, these elevated numbers pose a serious risk. 

Best practice for securing JavaScript

It’s evident that e-commerce companies must adopt robust protection strategies to safeguard payment data. The key lies in gaining visibility and understanding over the third-party scripts running on their websites, particularly on payment pages. Fortunately, multiple steps can be taken to immediately start identifying scripts and assessing their potential risks.

The first step that companies can score a quick win with is by culling unnecessary scripts that are not critical for their business. Naturally, some of the scripts might be crucial for business and must be kept as long as there is a justification for why they’re there. Paring down any redundant or unused scripts and limiting them to those essential for the website’s functionality will immediately reduce the risk of data skimming. 

Alongside this, companies should also have the capacity to monitor and block any unauthorized script change or behaviour. As per PCI DSS Requirement 11.6.1, any alterations in scripts or page headers on payment pages - especially unauthorized changes - should trigger immediate alerts. After being alerted of risky behaviours, companies must be able to block these actions and, pending approval, allow them again later. This proactive approach enables companies to respond swiftly to any potential threats before they can impact customers. 

Another crucial step is for merchants to have complete visibility of all scripts running on the payment page: knowing every script present there, if they’re authorized, and having a written justification of why it’s there.  as PCI DSS Requirement 6.4.3 mandates.

A way to do this can be, for example, by having an inventory of all the scripts together with the written justification of each of their purposes. In the case of a script accessing payment data information, the justification must explain why it’s accessing it. This isn’t a one-and-done exercise either - regular audits are crucial to keep track of changing scripts, and ensuring no malicious behaviour is introduced.    

Payment page security - a major priority

Cyberattack tactics like web skimming will continue to pose a major threat to e-commerce, especially during busy sales periods. However, threat actors are banking on being able to covertly slip malicious code into compromised scripts without anyone noticing. 

Companies can defeat this tactic and create a more secure online shopping experience by rigorously managing and monitoring scripts, limiting what third-party scripts have access to (especially on payment pages), and adhering to stringent security standards like PCI-DSS. Organisations should also look beyond the scope of security standards, as these usually provide a baseline of security but don’t touch all issues. 

Merchants need a proactive approach to client-side protection that goes beyond compliance; it’s about demonstrating a commitment to protecting customer data.

As e-commerce continues to grow, prioritising the security of payment pages will enable companies to safeguard their customers during the Christmas rush and beyond. 

Pedro Fortuna is CTO at Jscrambler

Main image courtesy of iStockPhoto.com