Hackers Are Focused On Hijacking Payment Data

Uploaded on 2019-03-08 in TECHNOLOGY--Hackers, FREE TO VIEW

Thousands of websites are being hit by cyber-thieves who implant code to scoop up payment card numbers, research suggests. Security giant Symantec found more than 4,800 websites were being hit by these "form-jacking" attacks every month.

High-profile victims of these attacks include airline BA and Ticketmaster. Online crime groups had turned to the attacks as other more established techniques proved less and less lucrative, Symantec said.

'Attack code'
"It's a sign we're in a world where security is tighter and tighter and it's getting harder to carry out this type of activity," said Orla Cox, director of Symantec's security response unit. Formerly profitable ventures involving ransomware and mining crypto-currencies now made gangs much less money, she said.

Instead, they were now inserting "attack code", either when sites failed to update core software to close loopholes or via insecure third-party apps, such as chat apps, analytics packages or other extras.

"It's a tiny line of code in there and that's enough for attackers to monitor payment card info being entered and they siphon it off," she said. "It’s often not obvious that the website has been compromised.  "To the naked eye everything would look fine."

Make money
Last year, Symantec had stopped more than 3.7 million form-jacking attacks, said Ms Cox, adding that the figure was a measure of the technique's sudden popularity.

"Cyber-criminals are continuing to find new ways to make money," she said. "And when they do, they pile in."

Ransomware was also still widely used, said Ms Cox, but better back-up practices by businesses and home users meant it was harder for criminals to secure a payday. And infections from ransomware had fallen by 20% over the past year. 

"In a lot of cases people are not paying up because it’s got easier for them to get their data back as they often have it in the cloud somewhere," she said.

BBC:              Image: Nick Youngson

You Might Also Read:

Hackers Use PayPal To Go Phishing:

 

« No Easy Button Solution To Cybersecurity’s Skills Shortage
NATO Defense Spending Should Privilege Cyber »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Becrypt

Becrypt

Becrypt is a trusted provider of endpoint cybersecurity software solutions. We help the most security conscious organisations to protect their customer, employee and intellectual property data.

Hack Miami

Hack Miami

HackMiami is the premier resource in South Florida for highly skilled hackers that specialize in vulnerability analysis, penetration testing, digital forensics, and all manner of IT security.

DCIT

DCIT

DCIT is a specialist in providing comprehensive consulting and auditing services in the field of information technology, PROVYS development software and security system AuditSquare.

ReversingLabs

ReversingLabs

ReversingLabs develops cyber threat detection and mitigation tools that address the the latest directed attacks, advanced persistent threats and polymorphic malware.

Quokka

Quokka

Quokka (formerly Kryptowire) is the source for mobile security and privacy solutions, staying steps ahead of the threat and delivering peace of mind.

IoT Security Institute (IoTSI)

IoT Security Institute (IoTSI)

IoT Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system.

AuthLite

AuthLite

With AuthLite, you can keep using all your existing software, with added two-factor authentication security placed exactly where you need it.

Qualcomm Technologies

Qualcomm Technologies

Qualcomm invents breakthrough technologies that transform how the world connects, computes and communicates.

Ostendio

Ostendio

Ostendio is a cybersecurity and information management solutions provider that develops affordable compliance solutions for digital health companies and other regulated entities.

Arcturus Security

Arcturus Security

Arcturus is a CREST-approved cyber security consultancy created by experts in the field.

1Touch.io

1Touch.io

1touch.io Inventa is an AI-based, sustainable data discovery and classification platform that provides automated, near real-time discovery, mapping, and cataloging of all sensitive data.

Otto

Otto

Stop Client-Side Attacks. Plug otto into your application security suite and protect your supply chain.

Unciphered

Unciphered

Unciphered was created as the first company providing services for opening locked hardware cryptocurrency wallets.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

Aspiron Search

Aspiron Search

Aspiron Search is a niche-focused Cybersecurity search firm that works exclusively with venture-backed Cybersecurity firms.

Bumi Optimus

Bumi Optimus

Bumi Optimus aims to be in the forefront of the digital industry with technologies such as AI, Data Science, Mixed Reality, Blockchain, Cybersecurity and Cloud Computing.