FBI Warns of Hidden Online Shopping Threats, Including E-Skimming, 'Magecart Attacks'

The FBI's Portland, Oregon, office is advising online shoppers to build a "digital defense" against a type of hacking known as "e-skimming." The warning came Tuesday as part of a weekly initiative during October, which is National Cybersecurity Awareness Month.

The scam occurs when cybercriminals use skimming codes on payment-processing websites to steal credit card information and other personal identification, according a report by the National Initiative for Cybersecurity Careers and Studies (NICCS).

The hacking technique usually targets "third-party vendors," the report notes. That is in line with the FBI's statement that those most at risk of this type of hacking are small and medium-sized businesses, as well as any government agencies that accept credit card payments online.

While any business that accepts credit card information can be subject to e-skimming, large-scale operations tend to have the means to ward off such attacks, sources told the Detroit Free Press.

"Larger stores like Amazon are generally safe—breaches of giant online marketplaces could happen, but they dedicate such a significant amount of resources to security that it would be extremely unlikely," said Mike Browning, senior manager of content and public relations for San Francisco–based cybersecurity company RiskIQ, according to the Free Press.

The outlet also reported an uptick in "Magecart" attacks—a type of malware typically used in e-skimming hacks—and said the threat might affect some of the retail giants as well as their customers.

"Many customers are unaware that when you integrate code from other companies it actually has the same level of privilege as your own code," said Peter Blum, vice president of technology at Instart, in a June interview with TechRepublic. "That means this outside code can display messages to your users, exfiltrate sensitive data entered by users or stored in cookies, or even redirect the user to another site."

There are warning signs when a company is facing a Mageware attack, the NICCS reported. Multiple customer complaints of fraudulent activity on accounts following online purchases, seeing new, non-company registered domain and a recently edited JavaScript code are all signs businesses should heed in order to protect themselves.

FBI tips for the prevention of e-skimming fraud include:

  • Update and patch all systems with the latest security software. Anti-virus and anti-malware need to be up to date and firewalls strong.
  • Change default login credentials on all systems.
  • Educate employees about safe cyberpractices. Most important, do not click on links or unexpected attachments in messages.
  • Segregate and segment network systems to limit how easily cybercriminals can move from one to the other.
  • Report any instance of online fraud to the FBI's Internet Crime Complaint Center at www.IC3.gov or call your local FBI office.
The FBI is warning online shoppers about hacking threats during National Cybersecurity Awareness Month. Getty Images