eSkimming is on the rise, preying on the rapid acceleration in eCommerce arising from the COVID-19 pandemic.

While eCommerce activities have rapidly accelerated in the Asia Pacific due to the global pandemic, eSkimming malware attacks are also on the rise and becoming more sophisticated — a cause for concern as we continue to navigate an increasingly digital world in our daily lives.

David Capezza, Senior Director of Payment Systems Intelligence, Visa

Where consumers shifted during COVID-19, eCommerce fraud and attacks followed. With eCommerce merchants optimistic about upcoming peak festive shopping events, the threat of such eSkimming malware attacks looms even larger.

Last year, Visa’s Payment Fraud Disruption (PFD) team discovered a piece of malware and named it ‘Pipka’, an industry-first in its capability as a JavaScript skimmer to remove itself completely from detection. And more recently, the team issued a security alert that it has identified a new eCommerce skimmer named ‘Baka on several merchant websites across multiple regions. Baka was able to avoid traditional malware detection methods — indicating that it was created by a skilled developer.

What should businesses do to protect themselves and online shoppers on 11.11, Black Friday, Cyber Monday and 12.12? DigiconAsia touched base with David Capezza, Senior Director of Payment Systems Intelligence, Visa to discuss the latest ePayment threats and best practices to mitigate them.

Given recent changes in consumer habits and preferences, how has malware and security threats in the payments and eCommerce evolved in recent years? How will they continue to evolve?

Capezza: There has been a steady increase of cyber threats targeting eCommerce websites over the last 5 years. eCommerce skimming malware has matured from simple form stealers, to complete kits that include all of the tools needed to commit an attack start to finish. As the malware kits continue to mature, we anticipate the authors will offer complete software-as-a-service solutions. Visa Payment Systems Intelligence has analysed this malware evolution over time, highlighting new malware variants, including Pipka and Baka.

How is Baka different from other eCommerce skimmers that were previously discovered? What threat does it pose to eCommerce merchants in Asia Pacific and around the world? 

Capezza: Most notably, Baka is different for the secure method in which it requests and loads its malicious payload. The malware is uniquely encrypted each time it is loaded, making analysis more difficult. There are also multiple anti-forensic countermeasures to further frustrate security analysts.

Baka poses a similar threat to other common eCommerce skimming malware families. These skimming malwares all steal payment data from consumers during checkout. Baka’s skimming script is more difficult to capture and analyse, but can be found just as easily as any other eCommerce malware by monitoring and alerting on unauthorised changes to the content of your eCommerce website.  Visa is able to monitor for malware variants daily, using capabilities such as eCommerce Threat Disruption. 

How does Visa PFD support issuers, processers and merchants in proactively detecting, disrupting and mitigating malware and other security threats?

Capezza: Visa Payment Fraud Disruption (PFD) developed the eCommerce Threat Disruption capability to quickly identify threats to eCommerce merchants. This enables us to disrupt the threats before fraud occurs, and to facilitate the remediation of eCommerce merchant compromises as quickly as possible.

This capability, currently provided at no cost to the ecosystem and benefiting all eCommerce merchants, aims to provide a safer and more robust security payments ecosystem for the issuer, the acquirer, and most importantly, the cardholder.

Visa’s eCommerce Threat Disruption uses patent-pending technology and investigation techniques to proactively identify compromises in the eCommerce environment. By analysing merchant websites for malicious payment data-skimming malware, Visa is able to identify a potential compromise and provide guidance on how to remove the malware, thereby limiting the amount of time a merchant is compromised, and the window of exposure where payment data is at risk.

In one case, eCommerce Threat Disruption’s early detection was able to save as much as US$141 million, due to the ability to quickly identify and disrupt an eCommerce threat to an online service provider.

For eCommerce players, what constitutes a robust security strategy?

Capezza: In September 2020, Visa PFD released a report titled Website Security for eCommerce Merchants, which provides a detailed overview of the layered security strategy that eCommerce merchants can take to secure their payment environment. This includes keeping all your software up-to-date, enforcing strong authentication for users, encrypting and protecting your login pages, using a secure and PCI-compliant hosting provider, keeping your website clean, backing up your data, scanning your website for vulnerabilities, monitoring your website, and securing payment account data.

In light of the upcoming festive shopping season, what best practices can eCommerce players use to mitigate cybersecurity threats? What solutions are currently available?

Capezza: We would recommend that any stakeholder operating a payment environment now and during the upcoming peak sales season review the recommendations in the Website Security for eCommerce Merchants report.  Additionally, eCommerce merchants, acquirers, and other payment facilitators can stay up to speed on the latest in eCommerce Payment Intelligence by visiting the Visa Merchant Library.