I had the privilege of interviewing Yonathan Klijnsma, head threat researcher at RiskIQ and the world’s foremost expert on Magecart. Klijnsma has spent over 10 years in threat intelligence. He has a lot of experience analyzing digital crimes and tracking hackers, particularly those who do online credit card skimming.
Below you’ll find an audio recording of the interview, and Klijnsma’s answers to my questions about online credit card skimming (aka formjacking) and how we can shop safely online.
Questions and Answers About Online Credit Card Skimming (Formjacking) and Safe Online Shopping
1. What piqued your interest in cybersecurity in the first place?
Klijnsma has always been interested in how things work. He says that once you know how something works, you can figure out how to get around it, and reach the bounds of what’s possible with it.
He describes cybersecurity and threat intelligence as solving a puzzle, and understanding how something happened.
I’ve noticed that it’s common for people in the digital security space to have an engineering mindset, learning how things work and reverse-engineering.
2. Your expertise is in tracking Magecart, which is when bad guys insert code on ecommerce checkout pages to steal payment card details. Is that right?
Klijnsma explains that Magecart is an evolution in stealing payment data, by stealing it from the buyer’s browser during checkout, rather than breaching the ecommerce website. When you fill out your payment info on a checkout form, before you submit it to the website, a script (code) sends your payment data to a Magecart server, so they can sell it or use it in fraud.
Klijnsma says that RiskIQ coined the term Magecart to describe online card-skimming. The Mage part of the name comes from the mage.php file in Magento, open-source e-commerce software. The cart part of the name comes from the fact that the skimming happens inside the ecommerce cart.
RiskIQ has been tracking Magecart since 2015, according to Klijnsma, and they know it started in 2014. He describes Magecart as “a really big thing” and “growing.”
Klijnsma says that thieves don’t need to compromise an ecommerce site to get their skimming code onto it, because sites often pull in external content, such as ads and other services). They can compromise any of those third party services, such as an ad provider, and affect any sites that use that service. For example, Ticketmaster was a victim of Magecart. Their site wasn’t compromised, but two of their external providers were, and Magecart got into their site that way.
3. Do you have any idea how many websites or consumers have been affected by Magecart?
Klijnsma says RiskIQ doesn’t know, because it’s very hard to track. They’ve seen tens of thousands of ecommerce sites infected with Magecart. However, a single supply chain incident affected 100,000 sites, though not all of those were ecommerce sites, and even for those that were, not all of them had the malicious code on checkout pages.
4. What do you know about the people behind Magecart?
Klijnsma explains that the first group (Magecart Group 1) was into carding (stealing credit cards) by breaching organizations and reshipping (mailing packages to US residents, which they then mail outside the US) for a long time prior to getting into online card-skimming. That group pioneered the way to avoid compromising the ecommerce site by targeting the consumer instead. They did this because multiple parties were compromising the same websites, breaking the websites.
Magecart Group 4 was into banking malware (modifying transactions, or phishing) before getting into online card-skimming, says Klijnsma. They used that experience in replacing ecommerce payment forms with their own.
Klijnsma describes Magecart Group 6 (FIN6) as having been into carding and being behind several large data breaches. They phish people in the organization (for example, with fake job offers) to get access to the organization’s network. They figure out the network infrastructure to see how payment data moves through the network. They then skim payment data from network. They learned from other groups and started skimming from websites, including British Airways.
Several different groups are now using the same online card-skimming methods, according to Klijnsma.
The easier you make it to do a payment, you’ll probably make it easier for the bad guy as well.Yonathan Klijnsma
5. You’ve seen skimming of other form data, besides payment info, right?
RiskIQ has seen groups experiment with grabbing other data, says Klijnsma. They use filters to target pages, such as login pages. RiskIQ has also seen them watch for someone to be in a website’s administration panel, and capture data that admin enters. That allows them to grab usernames, passwords, and other administrative data, to gain further access to the website.
Klijnsma says RiskIQ has even seen others skim for any information a person submits to a website; making the code act as a keylogger (software that records the keys being typed).
6. What types of ecommerce sites are most vulnerable to Magecart?
Businesses for which ecommerce isn’t core to their operations are more vulnerable, says Klijnsma, because they’re not as invested in or knowledgeable about ecommerce. They’re not aware of the dangers. He says most sites that are hit by Magecart are small stores focused on selling products, unaware of website security.
Klijnsma says that generally, the bigger the store, the more knowledgeable they are, the more likely they are to have security staff, and the better they take care of their store. He says that large retailers in the US have many people watching their sites, infrastructure, and security controls.
However, notes Klijnsma, no matter how big a website, there’s still the chance of an external third party being compromised. See the Ticketmaster example described above.
Klijnsma’s advice for ecommerce website owners
- Keep the site updated. Enable automatic updates.
- Keep your website as lean as possible. Install as few third-party plugins as possible. Use as few third-party services as possible.
- Consider using a hosted, managed service such as Shopify, especially if you’re a small store or don’t have the technical ability to administer a website.
- In short, use a hosted service unless there’s a good reason not to. If you run your own site, keep it updated, lean, and simple.
I added that the barrier to entry for having an ecommerce site has dropped, but many people aren’t prepared to handle website security. They don’t think about it until they suffer an incident.
7. Including Magecart, what are the biggest threats consumers face related to shopping online?
The biggest threat when you do online shopping is still that card you have in your hand. … That piece of plastic in your hand—they want to know the numbers that are on the front and back.Yonathan Klijnsma
Klijnsma says payment data is the biggest target because thieves can sell that data or use it themselves. However, thieves use secondary ways of making money.
- Fake tech support scams
- Fake software updates (purporting to be an Adobe Flash update, or a browser update)
- Fake stores (that charge your card and never send your product)
- Fake products (which can be sold through legitimate ecommerce sites)
8. When someone is at home, shopping online, what steps should that shopper take to shop safely?
Start by asking, “Do I trust this website?” Klijnsma advises. Check its reputation. How long has the store existed? Try to figure out who the store owner is, by checking the Contact and About pages. If the store is less than a year old and based in China, selling products that look similar to another company’s, be suspicious.
Klijnsma says if a product is available on a trusted site like Amazon, consider buying it there, because Amazon is generally safer than self-hosted (independent) ecommerce sites.
Try to avoid entering your card details into the website, Klijnsma recommends. With Amazon, your card is stored in your account, so you don’t need to enter it. Another way to avoid entering your card details is to use Apple Pay or a similar mobile payment system. That sends a one-time token rather than your actual credit card details. Even if someone skims the token, they can’t use it. Not all sites accept digital or mobile payments.
Klijnsma recommends that you keep an eye on your card activity. And don’t watch only for large transactions; some thieves run small charges.
If you suspect that your card was skimmed, whether you see a suspicious transaction or not, call your card issuer and request a new card, advises Klijnsma. They’d rather issue you a new card than have a fraudulent transaction go through.
9. Other than requesting a new card, are there any other steps a victim of online card-skimming should take?
If you want to help other people, says Klijnsma, you should contact the ecommerce site and tell them about the theft. If they ignore you, you can contact law enforcement. The FBI is very interested in going after these crimes.
Klijnsma says you can also contact the payment provider, because they can track the number of fraudulent transactions that occur when buyers are buying from a merchant.
10. Besides Apple Pay, are other digital payments like PayPal, or virtual one-time credit cards, better than using your credit card?
Yes, says Klijnsma, because they put a barrier in front of your card. If you use PayPal, choose to use the credit card linked to your PayPal account; don’t enter your credit card details into the checkout form.
11. If a shopper is shopping online when away from home, are there any other steps they should take?
If your browser shows a warning, or you suspect something is wrong, wait to buy until you’re home, Klijnsma says. Or, use your cellular data, which is safer than public Wi-Fi.
Klijnsma says the dangers of public Wi-Fi are often overstated; it’s not that you’ll definitely be attacked whenever you use public Wi-Fi. However, with public Wi-Fi “there are more risks, that’s for sure” than using your own network or cellular data.
12. How can parents help their kids shop safely online?
Klijnsma suggests that you help your kids make purchases, because it’s harder for kids to check if a site is legitimate. He says you should present it as you wanting to help them, or to buy together. He warns that if you make it sound like they’re not allowed to buy anything without you, that could be counterproductive.
You should teach your kids to beware deals that sound too good to be true, such as those promoted on social media, says Klijnsma.
13. Are there particular browsers you recommend using or avoiding, for better security?
Klijnsma doesn’t recommend any particular browser. He’s a fan of Chrome because it does active blocking and is actively developed. He also likes Firefox for the same reasons. He doesn’t use Windows so he doesn’t have much experience with Internet Explorer or Edge.
Card-skimming code is generic, and runs on any browser, Klijnsma explains. So there’s nothing inherent in any browser that would protect you from card-skimming.
Major browsers use lists to block known malicious websites, says Klijnsma. Chrome uses Google Safe Browsing, and Microsoft Edge uses SmartScreen. When RiskIQ identifies Magecart code, they report it to Google Safe Browsing.
14. Is there any particular security software, such as anti-malware software, that you recommend using or avoiding?
“It will always help you … it won’t impede you in any way,” says Klijnsma. He says antivirus (anti-malware) vendors are actively looking at how to handle online card-skimming because consumers are asking for their help. Klijnsma says antivirus generally won’t be able to detect skimming code because they don’t operate within the browser in such a way to do that. However, he says that a lot of security software has the ability that if it’s watching your traffic, and sees that your device is trying to send payment data to a known malicious domain, it will block it.
Security has always been about layering.Yonathan Klijnsma
This is the concept of defense in depth: have multiple layers of security, so any weakness in one layer can be mitigated by the additional layers.
15. It seems that many US consumers don’t care about credit card theft because card issuers offer zero fraud liability. Do you think that contributes to the problem?
Klijnsma is originally from the Netherlands. Between the Netherlands and the US “there is a big difference, culturally, with money,” he says. In the Netherlands, banks try to reduce fraud to as close to zero as possible, whereas in the US, there’s more emphasis on keeping money moving.
Klijnsma explains that Europe has had chip-and-PIN cards for years.
In the US, payments are made really easy, and like I said before, if you make payments easy, it’s also easy for the bad guy once he has the information. The concept of the magnet swipe is the reason why there’s been so many breaches.Yonathan Klijnsma
The US has continued to use magnetic stripes long after Europe has discontinued them, says Klijnsma. That makes transactions very easy, but also makes it easy to steal credit card data. Fortunately, cards with chips have become more common in the US.
Payments were made really easy in the US, that’s the thing. In Europe, we had that, but we moved on from that because it really doesn’t work. It leaves too many open possibilities for fraud.Yonathan Klijnsma
Klijnsma explains that in the Netherlands, for certain banks, to make an online payment, you put in your bank card number, then put your physical card into a reader, and enter your PIN. Based on the time and your PIN, the reader generates a one-time token, which you then enter. “That means online payments, you can’t skim them.”
Such measures reduce fraud, but they annoy customers, because they slow down transactions, says Klijnsma.
16. Do you have any other warnings, advice, or encouragement you’d like to share before we conclude?
“Be vigilant” is Klijnsma’s parting advice.
He invites people to contact RiskIQ; they’re happy to investigate suspicious sites.
If you think something’s wrong, or you want to do some research, I’m always interested.Yonathan Klijnsma
What You Should Do
- Before buying from a site, check if it’s legitimate. Look at how long it’s been around, where it’s based, and if it sells look-alike products.
- If the product you want is available on a trusted site like Amazon, consider buying it there, because large, recognized ecommerce sites are generally safer than small, independent ecommerce sites.
- Try to avoid entering your card details into the website. Instead, use the card you have saved in your account with the ecommerce site, or use a digital payment such as Apple Pay or PayPal.
- Regularly review your card transactions. Don’t ignore small transactions.
- If you suspect that your card was skimmed, whether you see a suspicious transaction or not, call your card issuer and request a new card.
- If your card is skimmed, tell the ecommerce site. If they ignore you, contact law enforcement (in the US, the FBI). You can also tell the payment processor.
- When possible, buy when on your own network or your cellular data, rather than public Wi-Fi.
- Help your kids buy online, and teach them what to watch for.
- If you run an ecommerce website, use a hosted service such as Shopify unless there’s a good reason not to. If you host your own site, keep it updated, lean, and clean.