| The number of reported card skimming incidents increased 20 percent during the first half of 2023 compared to the same period in 2022. More specifically, New Jersey is one of several states with the most significant increases in skimming incidents, with at least a 50 percent year-over-year increase in incidents occurring during the first half of 2023. Based on this trend, the upcoming holiday shopping season means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various digital and physical realms, such as stores, restaurants, gas stations, and ATMs. Threat actors continue to seek out better methods to conceal their attacks and evade various security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, identity theft, fraud, and subsequent malicious activity. |
| Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sell on dark web or other marketplaces. These attacks continue to be prevalent, with a new campaign observed abusing 404 error pages and targeting many large organizations in the retail and food industries. Manipulating the website’s default 404 error page to hide malicious code is one of the more advanced obfuscation techniques seen before and creates challenges for detection and mitigation. Similar to the recent uptick in Magecart attacks, the Kritec campaign is ramping up its activity in time for the holiday shopping season based on the number of newly registered domain names attributed to the threat actor. In this skimming campaign, threat actors create compelling customized templates in local languages that make detection difficult. |
| Card skimming is not just limited to online transactions. Threat actors can discretely install small card-reading devices in point-of-sale (POS) terminals to steal card information. These devices can be installed at stores, restaurants, and gas stations. This past year, the Walmart retailer has been a frequent target of card skimming at 16 different US locations. Also, skimming devices were found on two gas pumps at a Delaware BP gas station. Threat actors are also targeting ATMs and shifting in terminal types and locations of card compromises. Non-bank ATMs at convenience stores and gas stations are becoming more prevalent than bank ATMs. In September 2023, skimming devices were discovered at an ATM inside a Wawa convenience store in Cinnaminson, NJ and may have been installed for two months prior to its discovery. |