Source: Metamorworks via Shutterstock
Retailers in the Middle East and Africa account for a greater number of victims of Web-skimming attacks, but with a small fraction of the total number of consumer victims.
In the latest discovery of such an attack, an independent researcher claims to have uncovered Web-skimming code on a staging server of clothing retail site Khaadi, based in Pakistan and the United Arab Emirates. The code was discovered during an investigation into a Web-skimming attack on another website, that of a German football team, with an Internet-wide search uncovering 1,800 other potential compromised sites.
The discovery underscores that Web-skimming attacks, also known as Magecart attacks, continue to be a threat, says the independent cybersecurity researcher Gi7w0rm (Gitworm). Magecart is the term used for attacks that place card skimmers on e-commerce sites to steal payment card information.
"Web skimming attacks are still a thing because they still generate the criminals enough money to be viable income vectors," he says. "And the easiness with which actors can compromise a huge number of Web shops to get valid CC [credit card] data certainly contributes to it."
For the most part, Magecart attacks are relatively rare in the Middle East and Africa. While the MEA region has a younger population more readily adopting technology and shopping online, they are less likely to use traditional credit cards and more likely to use modern mobile-payment technology. In addition, North American and European credit card accounts typically have a better return on investment for cybercriminals.
The Middle East and Africa accounts for less than 2% of all stolen credit cards. Source: Recorded Future
Even so, the region is not immune to these attacks. Of the nations in the Middle East and Africa, Turkey — which is often included in both the European and MEA regions — shows up on the list of top-10 counties affected by skimming attacks, ranking third on the list, accounting for 5.5% of all detections, according to data collected by cybersecurity firm ESET.
"Magecart Web skimmer attacks are not very targeted," says Ondrej Kubovič, a security evangelist with ESET. "The groups behind them are after money, so they are not very picky and typically compromise as many e-shops in as many locations as they can reach via the attack vector they choose. Of course, the attackers are probably willing to invest more time and effort into compromising larger e-shops, as the ROI for them is potentially higher, even if security of those websites is a bit better than the security of their smaller competitors."
Compromised Cards
Overall, the Middle East and Africa account for less than 2% of all compromised credit cards discovered in 2023, according to data from threat intelligence firm Recorded Future. The country with the most compromised cards, South Africa, saw a dramatic drop (42%) to 280,000 compromised cards posted to Dark Web carding shops, while the fifth most-targeted nation, Egypt, saw a quadrupling to 80,000 in the number of its citizens' cards posted online. (Recorded Future classifies Turkey as part of Europe. If it was grouped with MEA, it would be ranked No. 1 on that list, following a 67% increase in compromised cards in 2023.)
"Ultimately, regional market differences likely signify that fraudsters perceive records in certain regions as having more or less value for fraud than those issued in other regions," Recorded Future stated in "Annual Payment Fraud Intelligence Report: 2023."
The attacks are unlikely to be geopolitical in nature and typically focus just on monetizing the ability to insert code into websites, says David Alves, a security analyst at Jscrambler.
"We may see an increase in targeting regions with growing digital economies and less mature cybersecurity practices," he says. "But generally, attackers are going after the prize, not the place."
Magecart Defenses
Skimming attacks will become harder to detect with more sophisticated evasion techniques, forcing website owners to take better care of the security of their sites and the third-party code they use.
Attackers target popular third-party components in order to hit a large number of victims with a single attack, says Jscrambler's Alves.
"Attackers target the 'weakest link' of the supply chain, which is typically the vendor with the fewest resources allocated to cybersecurity," he says. "This type of attack also increases the threat actors’ potential return on investment, as it allows them to target multiple companies in just one attack."
Plug-ins and third-party components harboring vulnerabilities are mainly abused in cyberattacks, so e-commerce firms should only run patched components and disable any plugins with known vulnerabilities. Vulnerabilities in WordPress plug-ins, for example, can impact tens of thousands of sites, making them attractive to Magecart groups, and thus, critical to patch quickly.
In addition, Web stores should ensure that they have a content security policy (CSP) implemented in their page headers, which restricts how certain browser capabilities such as JavaScript and CSS can be used. Finally, website scanners can determine if any scripts are reaching out to unknown or malicious sites.
"Unsolved Mystery"
Researcher G17w0rm reported the Web-skimming code to both Khaadi and Pakistan's Computer Emergency Response Team (PK-CERT), on Jan. 2, with a follow-up on Jan. 7. Neither organization responded, he says.
"As of today, these subdomains of Khaadi remain compromised," he says. "This can be seen and proven when opening one of the affected domains, putting something in the basket and going to the checkout page."
He noted that the webpages affected by the code do not currently seem to be in use by the retailer, making it less likely that customers are affected. "It's an unsolved mystery to me why there are several working Web shops on the Khaadi.com domain, but as I was not able to talk with them I can't really get an inside view," he says.
The retailer did not return an email request for comment sent by Dark Reading.