How to defend your website against card skimmers
Card skimmers, or web skimmers, are pieces of malicious software that criminals piggyback on to legitimate websites, so they can steal shoppers' credit card details. The skimmers read the details as users type them into the sites' payment forms, or replace the payment forms with convincing fakes. Attackers have even been seen ad sites that don't take payments. Skimmers can steal card details in real time, as they are typed, even before the victim clicks "submit" on the payment form.
Skimmers allow criminal hackers to silently rob every customer that makes a purchase on an infected website, until they are discovered and removed. Malwarebytes products detect card skimmers, and our Threat Intelligence team tracks and investigates them. We know that card skimming activity tends to increase inline with busy shopping days, and shop owners need to be extra-vigilant heading in to the holiday season.
In this article we will explain the basic steps you should take to secure your website against card skimmers. Getting these basics right will also protect your website against a range of other cyberthreats too.
But before we look at how to secure your site, let's look at why you should, if you're only running a small mom-and-pop shop.
Why you aren't too small to get hacked
If you think your website is too small to be of interest to cybercriminals, think again. They don't care how small your site is. Really. In fact, they don't care about you at all and may never even look at your website.
Cybercriminals don't break into websites one by one, using their best guess to figure out your password like they do in the movies. They use computer programs to scan the Internet for vulnerable websites. There are millions of vulnerable websites out there, and scanning the entire Internet to find them is fast, cheap, and easy.
When they find a site they can break into, they inject a card skimmer, automatically.
Their objective is to break into thousands of websites at a time and the process is automated and can run continuously. It effectively costs criminals nothing to break into even the smallest website, so every website—no matter how small—is an attractive target.
Websites without a payment form can be still be targeted, or monetised in other ways, so even if your site doesn't sell anything, it is still at risk.
Skimmers allow criminal hackers to silently rob every customer that makes a purchase on an infected website, until they are discovered and removed. Malwarebytes products detect card skimmers, and our Threat Intelligence team tracks and investigates them. We know that card skimming activity tends to increase inline with busy shopping days, and shop owners need to be extra-vigilant heading in to the holiday season.
In this article we will explain the basic steps you should take to secure your website against card skimmers. Getting these basics right will also protect your website against a range of other cyberthreats too.
But before we look at how to secure your site, let's look at why you should, if you're only running a small mom-and-pop shop.
Why you aren't too small to get hacked
If you think your website is too small to be of interest to cybercriminals, think again. They don't care how small your site is. Really. In fact, they don't care about you at all and may never even look at your website.
Cybercriminals don't break into websites one by one, using their best guess to figure out your password like they do in the movies. They use computer programs to scan the Internet for vulnerable websites. There are millions of vulnerable websites out there, and scanning the entire Internet to find them is fast, cheap, and easy.
When they find a site they can break into, they inject a card skimmer, automatically.
Their objective is to break into thousands of websites at a time and the process is automated and can run continuously. It effectively costs criminals nothing to break into even the smallest website, so every website—no matter how small—is an attractive target.
Websites without a payment form can be still be targeted, or monetised in other ways, so even if your site doesn't sell anything, it is still at risk.