Customers of AeroGrow, the US-based seller of indoor gardening systems, recently became the latest victims of card skimming malware, an increasingly popular technique for stealing financial data from online merchants. According to a letter from AeroGrow to its customers, the malicious code responsible was likely to have been active for four months before it was discovered and removed.
Implanted in the vendor’s payment processing page, it skimmed and siphoned off personal customer information required to verify and process a payment, such as credit card numbers, expiry dates and CVV codes as they were entered.
Website Skimming Malware Remains the Attack of the Day
AeroGrow is not alone. Card skimming malware become an increasingly common attack vector for criminals looking to capitalize on the eCommerce explosion. Just in the last year, the well-known hacking group Magecart carried out similar skimming attacks on high-profile brands including British Airways, Ticketmaster and Vision Express.
One of the main reasons for the technique’s growing popularity is its simplicity. Whereas criminals would once have targeted an online merchant’s database or its post-website internal network traffic to collect valuable user data, attacks such as these exploit its customers instead, collecting their financial credentials as they input them.
In addition, it offers criminals access to genuinely valuable information. Any sensitive data held on a database, such as credit card numbers, will tend to be encrypted, for example, while it’s unlikely that CVV numbers will be stored at all. But, by intercepting this data in real time, often via a third-party site or plug-in, criminals will enjoy unfettered access to highly valuable information which they can use – and in large amounts, too. Compromising a merchant’s server or individual endpoint will only deliver limited returns but compromising a merchant’s website can deliver information in spades.
Protecting the User Journey
Although the theft itself may take place on the customer’s side of a transaction, the merchant is ultimately responsible for protecting customers from any malware campaign that targets their information. Provisions must be put in place that will prevent any personal information from leaving the site – regardless of the technique used – protecting the privacy of the data and thwarting any attempts to steal it.
Trusted Knight’s Protector Air is a cloud-based solution, invisible to the end-user, that stops transactional fraud by securing every browser session, and therefore ensuring the integrity of every transaction. Click to find out how Trusted Knight can protect your business – and your customers’ information.