Cybercriminals Are Getting More Sophisticated

Internet fraudsters are on the prowl more than ever before due to the COVID-19 e-commerce boom. Consider that by mid-March 2020, online shopping in the U.S. surged 35 percent from 2019 levels, and card-not-present spending grew 30 percent in the last quarter of 2020, primarily driven by retail spending, as reported in Visa’s Q1 earnings. Cybercriminals seek to take advantage of shoppers, small businesses, and large retailers alike by compromising payment credentials, harvesting data, and attacking trusted online systems. According to Aite Group, card-not-present fraud losses are projected to total $7.9 billion in 2021, up from an estimated $7.2 billion in 2020.

Coupled with increasing digital payment volumes and increased adoption of omnichannel commerce, retailers must ensure their payment systems are frictionless for shoppers and foolproof against fraudsters to effectively support their business.

Visa’s Payments Fraud Disruption (PFD) team’s latest biannual report analyzes the fraud and risk trends impacting retailers and consumers, with three e-commerce-related fraud trends emerging in 2020:

Curbside Pickup Fraud

While this has been a growing trend, in April of last year alone, demand surged 208 percent compared to 2019, according to Adobe Analytics. Because retailers shifted so quickly to this model to accommodate changing consumer shopping habits during COVID-19, certain elements of the curbside pickup model were left vulnerable to fraud. For example, unlike conventional online orders, a curbside pickup transaction might contain less information to leverage in assessing the risk of the order. And without proper pickup controls such as identification verification, this component was also exposed for fraudulent activity. Furthermore, banks had to adapt fraud models to account for this significant shift in activity, which made capturing fraudulent activity in this channel difficult on both sides.

Enumeration Attacks

Enumeration attacks aren’t new, but they remained one of the leading threats to retailers’ payments processes in 2020. Enumeration is the scalable and programmatic automated testing of common payment fields via e-commerce transactions to successfully guess the full payment account number, CVV2, and/or expiration date. One fraud methodology that manifested during the pandemic occurred as threat actors adapted by illicitly creating and then using COVID-19-related retailer names to conduct these enumeration attacks. Visa’s PFD team anticipates enumeration attacks will remain a top threat across global regions, with cybercriminals taking advantage of big data and automated tools to find and exploit new vulnerabilities.

New E-Skimmers

Cybercriminals are getting more and more advanced in how they're targeting online shopping platforms, coming up with new malware to use to compromise retailers’ platforms and capture consumers’ information. Visa’s PFD team identified two new e-skimmers in the latter half of 2020.

In June, security researchers identified a new self-destructing JavaScript skimmer variant on a North American retail website. Similar to the Pipka skimmer Visa discovered and reported in November 2019, this one is designed to steal customers’ payment details at checkout. The Pipka-like malware is able to remove itself from the HTML of a compromised website after it executes, decreasing the likelihood of detection.

In August, the PFD team was the first to identify a new JavaScript skimming malware variant called “Baka” that was identified on several retail websites across the globe. Essentially, the skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters curated for each victim to obfuscate the malicious code. What makes this design so advanced is how the skimmer avoids detection and analysis. The malware can remove itself from memory when it detects the possibility of dynamic analysis with Developer Tools.

Cybercriminals will continue to innovate and evolve tactics in developing e-skimmers for e-commerce retailers, and e-skimming innovation will remain a persistent threat to the e-commerce space. This is especially true in the context of COVID-19 as many brick-and-mortar retailers are still not operating at full capacity due to government restrictions and lockdowns.

Outpacing the Fraudsters

Fraudsters remained immensely active during the pandemic and throughout 2020, and are growing more sophisticated by the day. And while these actors employed many tried-and-true fraud techniques, such as ransomware, e-skimming, and point-of-sale malware, they also adapted their methods and tactics to coincide with the changes in the e-commerce landscape due to COVID-19.

However, there are multiple ways retailers can stay one step ahead to thwart these cybercriminals, protect their bottom lines, and safeguard consumers and customer payment data, starting with a few simple online security and authentication strategies:

• Monitor for suspicious activity. Regularly check logs and receive alerts if changes to the site are made. Provide training for all staff in security best practices in case they identify suspicious activity or encounter a breach.
• Ensure authentication methods are keeping pace by using a multilayered approach. Beyond enabling two-factor authentication for shoppers, are the analytics behind your e-commerce platform adequately assessing risk? Emerging technologies, like machine learning and artificial intelligence analytical models can help identify these fraud methods earlier.
• Consider using a validated third-party service provider to store, process or transmit cardholder data. Criminals commonly target retail websites that process payment data.
• Regularly scan for updates in industry security standards such as Payment Card Industry or Center for Internet Security and ensure your e-commerce platform is adhering to the guidelines.

What’s more, PFD capabilities are also continuously evolving to detect, analyze and disrupt new threat schemes as well as help protect the payments ecosystem. PFD regularly releases its own intelligence alerts on new trends and threats to aid merchants in protecting their networks. As fraudsters leverage technology to attack consumers and retailers in new ways, PFD capabilities will persist in efforts to anticipate and counter new threats to the ecosystem.

David Capezza is senior director of Payment Fraud Disruption at Visa, the American financial services corporation.