Spam, ransomware, and malware continue to haunt organizations, but bad actors are always cooking up new spins on these tried-and-true methods. In the latest scheme of malware threats, e-skimming is growing at a rapid pace. E-skimming is a type of malware that infects checkout pages online to steal payment and personal information of shoppers.

The malware was derived from the traditional term of skimming where criminals used skimmers, or hidden devices designed to steal credit card information, from consumers at gas pumps or ATM machines. Unlike traditional skimming, the criminals behind the attack do not need physical access so they can be located anywhere in the world.

Cyber criminals can compromise websites in many ways, including breaking into the web server directly or breaking into a common server that supports many online websites and compromise them all. They can also gain access to an organization’s network through a phishing email or brute force attack on administrative credentials. Companies large and small have been hit by e-skimming attacks in the past two years, including Macy’s in October, Puma’s Australian website in April and Ticketmaster’s United Kingdom website. The threat continues to grow because cyber criminals are sharing the malware online, making it even stronger and more sophisticated.

Who is at risk?

This can be a problem for both consumers and companies.

Consumers – All online shoppers must be vigilant when utilizing a website and entering financial information. A common way that hackers are successful with e-skimming tactics is through phishing attacks. Utilizing a bad link in an email to execute a purchase online could lead you to a corrupted site. Submitting credentials into a corrupted site could lead to stolen personal information.

Companies – Companies could be at risk from this threat in a few different ways; the first being companies accepting online payments. Always monitor your e-commerce sites to ensure that you are protecting your consumers from being a victim and preventing future loss.  Another problem is if an online shopper is compromised from this attack while utilizing their company credentials or during company time on the internal network. Their information including their email and password is now on the dark web. If the credentials to log in to the infected website are the same as their company credentials, the company’s information is now also at risk. Additionally, companies utilizing third party services whose website was compromised are also at risk. This is potentially the most dangerous because as a third party, you have the least control.

Compromised networks and malware attacks could result in lost clients, reputation, and money. In order to protect yourself from e-skimming malware and any potential new malware, companies need to stay on top of system updates and monitor their servers. Consumers should use credit cards instead of debit cards when shopping online to lessen any inconvenience if their card is compromised. Consumers should never use their company credentials when shopping online and always use a variety of passwords for online accounts.