Improving Your Small Ecommerce Business Network Security to Protect from E-Skimming

In the SecurityMetrics’ webinar “How to Protect Your Ecommerce Website Against Eskimming,” SecurityMetrics Deputy CISO Matt Heffelfinger discussed the top dangers ecommerce sites face, how to understand your attack surface, and best practices for keeping your small ecommerce website safe. 

This blog will explore the main ideas from the webinar and the latest threats attacking the e-commerce space. 

Third Party-Plugin Exploits

Third-party plugins have become a popular resource for online businesses that want to calculate coupons, figure out shipping, and make the overall shopping experience smoother. However, as helpful as plugins can be, they also introduce significant risks for small ecommerce shop owners. 

Matt explains that "We're seeing a whole lot of plugins that are being compromised...just lack the security that's allowing these attackers in."

The Real-world Case of a Compromised Shipping Plugin

In a recent case, a merchant unknowingly allowed malware to infiltrate their website via a third-party shipping plugin. The merchant needed a solution that would give customers multiple shipping options during the checkout process. So, they chose a third-party plug-in that would offer different prices from major mail carriers, and would generate a discounted shipping cost. 

However, this plugin had been compromised. According to the SecurityMetrics incident report, “Whenever the merchant's website would call that plugin to get the shipping code, it would just bring over a little bit of malware...a couple of lines of JavaScript in the thousands of lines that were being called.” This particular exploit would only activate once the customer selected the discounted shipper, which was, of course, the most popular option because it was the cheapest. 

This type of malware is concerning because it’s both clever and hard to detect. Matthew Heffelfinger explains this subtlety: "They got into the plugin, and that code existed off of the merchant's website, but it was only introduced into the browser at the moment of checkout."

How Do Third-Party Plugins Create Vulnerabilities?

SecurityMetrics experts agree that one of the most dangerous aspects of third-party plugin exploits is how stealthy they are and how difficult they are to identify. In this case, the malware was only briefly active when customers clicked on the shipping discount feature, which made it hard to detect. In fact, while showing the audience how the malware worked, Heff discovered that "If we refresh this page and we choose a different shipper, it’s the cheapest option... We can see that the malware was able to get in and grab that card data when we chose the 'Ship2You' option."

The selective nature of the exploit was intentional, as attackers knew that targeting every transaction would set off alarms. Instead, they "tried to fly below the radar, grabbing a handful of cards at a time" to avoid detection. Unfortunately, these threats are becoming more common, with cybercriminals choosing specific triggers to activate their malicious code briefly to avoid detection. 

Five Key Steps to Improving Your Small Business Ecommerce Network Security

Protecting your e-commerce platform from e-skimming can be difficult, but if you know about these main vulnerabilities, you’ll be better prepared to face threat actors. 

1. Attack on Third-Party Plug-ins:
   • Attackers exploited a compromised shipping plug-in affecting over 400 merchants. 
   • "What was particularly interesting about this case is that it wasn't just this merchant. You know, these guys are a source provider. Right? And so this code appeared not just on this merchant, but there were, I think, four hundred other merchants that were affected” (Heff). 
   • Malware selectively skimmed credit card data based on the shipping provider chosen, making it hard to detect.
2. Difficulty in Detecting Skimming:
   • Attackers are becoming stealthier by using random triggers and targeting fewer cards to avoid detection.
   • E-commerce attacks often happen in the browser, outside the visibility of server-side tools. 
   • "The attackers are not gonna try to get every single card anymore. They know if they grab everything on a large site, it’s gonna be detected and get shut down fairly quickly” (Heff). 
3. File Integrity Monitoring and Client-Side Vulnerabilities:
   • File integrity monitoring on servers is critical but doesn’t cover client-side issues, such as malware in browsers.
   • Third-party plug-ins add complexity and make securing the entire checkout process challenging.
   • "We've seen companies have upwards of six hundred scripts, third-party scripts, running in their shopping cart at any given time” (Heff). 
4. Recommendations for Securing Shopping Carts:
   • Use iframes to isolate payment forms and tokenize card data.
   • Implement multi-factor authentication (MFA), especially for admin panels.
   • Ensure comprehensive logging to trace issues if a breach occurs.
   • Establish a baseline of normal behavior to detect anomalies.
5. The Importance of Robust Logging:
   • Logging everything, especially during transactions, is crucial for forensic analysis.
   • Many companies still lack proper logging, making post-breach investigations difficult.

What Small Businesses Can Learn From Third-Party Exploits 

Third-party plugins have transformed the customer experience on small ecommerce websites, but they have also opened new doors for cybercriminals to exploit. Approaching third-party plugins with a security mindset can ensure you keep your small business ecommerce website and customer credit card information safe. If you’re not sure about a plugin, you might want to speak with a cybersecurity expert who can point you in the right direction. 

You need to know “what’s running” on your shopping cart, which could include ad networks, traffic exchanges, and business analytics scripts. One way to do this is to establish a baseline of what normal activity on your small business ecommerce site looks like so you can identify when anomalies occur. As Heff says, "You have to know what’s running in your shopping cart, especially when credit card data is present. Establish a baseline because if you get that baseline, it’s a whole lot easier to spot anomalies that happen."

At the end of the day, protecting your e-commerce platform requires a proactive approach. Whether you're a large enterprise or a small business, your security strategy needs to reflect the value of your data and the potential risks to your small business.