Watch to learn how you can monitor your ecommerce pages for eskimming and protect customer payment card data.
Find out how you can monitor your ecommerce pages for eskimming and protect customer payment card data.
In this 20-minute demo, we will show you the key features unique to SecurityMetrics Shopping Cart Monitor, one of which is that there is no installation needed.
This webinar was given on March 14, 2022.
First off, yeah, thanks for for being here, for taking time out of your busy schedules to come, you know, hear about our new technology and things we're excited about in shopping car monitor. And, hopefully, I can, you know, give you some good information and give you a reason for being here and get you excited about, some of the technology that we've developed that we feel has resolved the gap in the industry security wise. And, excited just to present for you. So thanks for being here.
Okay.
Let's see if my slides will transition.
There we go.
So just brief introduction. My name is Jason Leland. I've been with Security Metrics eleven years. Actually, that's as of this month.
I'm originally from Portland, Oregon, and that's a picture of me and my family at Crater Lake. And my current role here is the director of enterprise sales.
We sell the products that fit under our professional services side of the organization.
Things like audits and pen test, forensics, and now we kinda fall under the soft team with the addition of shopping car monitor.
And so a little bit about me and what we do.
Brief overview of the agenda. We're gonna be covering ecommerce skimming, which may be a review for most of you. I I think most people know what that is, but it's good to start there to get our, mind frame in the right, place as we go through the rest of the presentation.
We'll do a demo of a skimmer attack, talk about shopping cart monitor and the specifics of the products. And then we can take questions, I believe, during this webinar.
And I have some outside help that will be helping me with that. And then my email address will be at the end of the presentation. So if there isn't something that I answered during the webinar, feel free to email me and, send me those questions. So so starting off, what is a skimmer?
A website website skimming occurs when a website's injected with malware and is compromised.
The specific function of the skimmer is to steal data from the field that the user's interacting with. So, you know, I I think, we focus on things like payment pages, but really a skimmer and shopping cart monitor, they both work on pages that really have any, dynamic form fields, things that a user will interact with that I would enter data into.
Right? We typically focus on payment pages because I mean, you can even see credit card right in the slide. We focus on payment pages because it's a high value target for a malicious actor. But what we really need to know is that skimmers, and a lot of these compromises we're gonna be talking about function on any page that accepts data, and has that that dynamic, variability to it.
So MageCard attacks are very common. I think it's the one that we see the most, we hear the most, ends up in the news the most.
MageCard derives from Magento, the name Magento.
And hackers are constantly innovating to secretly skim a card holder sensitive data during the checkout process. So they're working to be as silent as possible. And I think one of the most, I guess, scary concepts of this is, you know, they're working in the background.
Excuse me. And if you're entering credit card data into a field that's currently being skimmed, that data will still go where it's intended to go. Right? If if it's intended to go to a bank, it'll still go to the bank. But, unfortunately, if it's compromised, you're also sharing that data with a third party that probably doesn't have the same intent. Right? Maybe a little bit more malicious of an intent.
But Mace Guard attacks, they end up in the news quite often.
I think what we've learned over the past few years is that, you know, there are organizations across all verticals of all sizes that are vulnerable to major card attacks. Some of the common ones you might be familiar with like Ticketmaster, British Airways, Newegg, Smith and Wesson, you know, they've all ended up in the news along with a lot of other ones. But these companies, they've all fallen to, to major card attacks and skimmer attacks of all different types. You know, there there are thousands and hundreds of thousands of ways to utilize skimming techniques to customize and make things unique to that specific attack, and exploiting different bugs and browsers and things like that. Right? So, one of the cool things that we identified in our research of shopping cart monitor is that it would have identified every single one of these scamming attacks.
And so if you're curious and you wanna learn more about the specific details of these compromises, I have some links that I can send to you. Feel free to email me. Again, I'll I'll show that at the end of the presentation.
So a security research firm became aware of a hack posted on, for sale on the dark web for Magento one and two. And it's this string if you wanna see it in the slide there, that I'm talking about. And so what they did was they started looking for, this infected code by scanning all known Magento sites.
From Friday when the code went on sale to Monday, this skimmer had infected nearly two thousand websites.
The research firm also told us that they estimated about ninety five thousand Magento one sites still remain unpatched, and eleven thousand Magento two sites were still vulnerable to this specific this single specific attack.
You know, it's it's crazy how quickly these things move and how quickly hackers wanna benefit from, you know, new technologies and what we call zero day vulnerabilities, right, when they're brand new.
So we have to ask ourselves, you know, how common are these attacks?
In a two thousand nineteen varieties a Verizon security report, their team found that skimmers were being installed at a rate of five thousand per month, which just seems crazy. That's so much. And once infected, it took forty six days before that skimmer was removed on average.
So if you think about, you know, your site, your payment page, how much credit card data could be stolen within forty six days of a skimmer being there or longer?
You know, with some research of our own and another research we found, the average cost of a data breach is in the millions. You know, it affects not just the card data that's stolen and repaying whatever fees you need to, to the card brands, to your customers, but it also has a lot of, impact on your brand and some damage there.
You know, thirty thousand major car vulnerabilities were found over the past two years.
They keep persisting to create new types of steaming attacks, to exploit new vulnerabilities that are found as new technologies are created.
They're trying to stay ahead of the curve in their industries.
So detecting skimmers can be very difficult because you can't always see them, and existing tools can't always cache them. So we're noticing the skimmers are being implemented in the checkout process directly into the browser. And, you know, you have tools like FIM and IDS, IPS that might protect the web server itself, but they don't have visibility into the actual browser and what's happening there.
Some of the attacks we've seen in our research are, you know, hiding in highly obfuscated code, which means they're running malicious code through their engine and they're completely modifying that code. So the human that's looking through and maybe you've seen it, just that page of code that exists behind the browser. Looking through it, if you did find something, which is a needle in a haystack, you probably wouldn't know what that code is doing.
We've also seen mimicking known domains, which is taking something that you're familiar with, like a domain you're familiar with, and just changing small details. So the human eye feels comfort in saying, oh, yeah. I know that domain, but, really, it's it's been, mimicked and your data is going somewhere else.
We've seen tripwire mechanisms where malware can often sense if it's being watched or not, and that's gonna be a part of my demo. We're gonna show you that. And so, really, instead of you watching for the malware, it's watching you to see if it's gonna be detected and it has specific functions that are implemented based on activities that you take to actually find it. We've seen, stenography attacks where malicious code is hidden in the image or where malicious code is sent in a request for an image file, which is also gonna be in the demo. And then we've seen it restricted to certain geographical areas. And I think it was earlier last year where we found a page that we were inspecting.
Only car data was stolen if you were accessing the page from the Netherlands. And so they're they're trying not to make a lot of noise, raising red flags. Right? They wanna be as silent as possible, don't know that they're there, so they're not taking every single card.
And it's often you notice that they're there when you receive a letter in the mail that's identified you as a complimentary purchase from the card brand saying you've been compromised. Right? That's how most people typically find out that there's a schema that's persistent on their page.
And so with with this slide, to me, this is what I think of. When I go to a shopping cart, when I go to somebody's website, I just think I'm communicating with their web server. They're serving up code that gives that, you know, provides the content for me to go through my user experience on their page. Right?
So I can buy something. That's usually what I think of. I I'm not sure how most people think about it when they're, you know, Sally shopper shopping at midnight on her laptop. I think we all think it's pretty simple for the most part.
But in reality, you know, it's much more complicated. And this is a better image that represents what your browser looks like when you're accessing the shopping cart. There's much more going on than the user realizes and tools like FIM, antivirus, IDS, IPS, they don't have visibility to monitor all of this activity. I'm not sure if you can see my mouse, but I'm circling around the picture here.
So, you know, inside a client's computer, all sorts of independent programs are running, making the browser now in charge of safety and security, and that's a problem. Right?
One of the questions that we typically ask our customers or potential customers is, do you know how many requests are being made by third party libraries to your shopping cart? How much code are they putting into your page? Do you know? And it's often they say no or I haven't checked that in six months. I haven't checked that in a year. We had a few customers that were actually pulling the code from their page and putting it into a spreadsheet.
And they would do this every I think it was, like, every month or every quarter, and they would do a comparison to see if there was any changes done. It's it was a cumbersome approach, but, you know, obviously, they they saw the need there to manage some of these third parties that they that they have.
What we found is that threat actors are using third parties as a path to compromise the browser.
They are very crafting their technique and they're continually evolving. And so in addition to that third party code question that we ask, we also ask which is more important, Do you know if the code is secure from these third parties?
And if not, what are you doing about it?
So these are questions we need to ask ourselves, as we're allowing others to impact the security of our web browser.
As a company, we've made it our mission to review as many skimming attacks as we can to continually validate that shopping cart monitor would identify those attacks if that organization had been actively using shopping cart monitor. And so far, we haven't found one that we wouldn't already identified.
So shopping cart monitor, it acts as a synthetic user to monitor and analyze your website for ecommerce scanning and malicious activity. And we'll talk more about this in the presentation, but it's essentially giving you, visibility between the web browser and the server and also these third parties that, you know, these libraries or packages that you have on the other end of your browser. And I wish these binoculars were on both sides because it really does provide that middle visibility that most people are missing.
And alerts will be sent to our security metrics cybersecurity experts to examine each one of those alerts and determine if any of those alerts had a malicious, had a malicious threat or not. And so if there is a threat, we'll notify you directly and document our findings in a formal report, send it to you so that you can do something about it.
And then another important detail that we include is, you know, there's there's no installation required as a part of that, and I'm gonna explain why that's important. So those two details of it's a synthetic user. Right? Not trying to be a bot, but trying to represent the actual, user experience through the checkout process. And then the no installation needed is also a key detail that I'm gonna expand on later in the presentation.
So right now, after we've talked about kind of the impact of skimmers that are of impact of what skimmers are having on the industry, I wanna demo, one of the more advanced skimmers that we found and why it peaked our researchers' interest in some of the features that this skimmer had. And so I'm gonna be looking at this monitor, so I apologize. I'm not looking at my camera anymore. But as I go through this demo, I'm looking over here, and I'll I'll turn back.
But, so this is just a demo store that our our team created for demo purposes. This is not real. So if I come into the checkout page, this is a standard shopping cart. And as a user, you know, I click through, enter my address, do all the normal stuff that I would do.
And so one of the unique, attributes of this skimmer was it's actually searching for human activity and human elements to be done on the page before it actually activates itself. And so what I'm gonna do because specifically what it's looking for is mouse movement. So I'm gonna move my mouse off the page so that it doesn't see that. I'm gonna tab through, and I'm gonna hit continue.
And so this green bar, just for demo purposes, right, it would be nice if all websites have this, but they don't.
It says that the, skimmer is inactive.
And really what it's looking for is it's just waiting for this mouse movement so that it can go fetch the code from the fab icon to say, hey. Let's activate so we can skim the details because I know this is an actual user. So as I bring my mouse back onto the page, it turns orange. It's saying your card is gonna actively be stolen now. So it's reached out for that code. It's fetched it, and it's got a I enter my details, and I come down and put my CVV code in. And as soon as I tab off of this, field, my card data is stolen.
You know, it didn't wait for me to hit confirm, submit, report a payment. I could even go in and actually delete my data now. It's already gone. It's it's been sent off even if I backed up my purchase and I didn't actually wanna do it.
So it's a very sophisticated approach of, and and when we actually found this, this company was using a service that was monitoring the code. But the malware or the skimmer never actually activated itself because it was a bot running through the page not acting like a user. And the technology that we've developed, through shopping cart monitor will do some of the will do activities like this that shows that, hey. We're an actual user.
You should activate your your skimmer attack so that we can find it. Right?
And then one of the other very intriguing attributes of this skimmer was, as soon as you went to inspect the code and opened up developer tools, it actually self destructed itself.
So you couldn't find it. It was waiting for that specific activity to happen to say just clear out so that it couldn't be discovered any longer, which is is crazy. So the only way that we were able to find that was through shopping cart monitor had identified what that code was prior to opening up dev tools, and we could read in the code that said, like, if dev tools something, right, activated then self distract.
But essentially gave it that, you know, responsibility or or, whatever it was to to take that action, which is pretty crazy.
And so that's just a a a quick example.
Let's see if I can get get back to my page here.
Just a quick example of what the, I think I need to so I apologize.
Here we go. Back to the demo. Example of of some malware and skimmers that we've we've seen in our research.
So, you know, how how does shopping cart monitor protect your customers from skimmers?
You know, I think this is a good time to kinda transition into what the product does. But, it it's a tool that really just detects if a skimmer's present on the page. And what we're trying to do is make it our goal to reduce the amount of time the skimmers installed on your shopping cart from that forty six day period down to hours and or minutes. And so let's get into the details of the actual product here.
So first of all, it's pretty straightforward how it works. We begin by creating a reporting of the checkout process during which we do a high level review to determine if any malicious, code or activity already exists on the page. And once we've reviewed it, we create a record of that traffic and say, this is what we should expect when going through the checkout process. And we work with you to do that.
Right? So we're both on the same page. But our our, threat intelligence center will use a variety of tools, to help them determine if the code we're establishing the baseline with is clean so we don't just replicate and say it's normal to have this malicious activity in your code. Right?
We don't wanna do that. So they use, tools like raw request slash response to see what was triggered, the who is information of who owns the domain, the community scores of two popular communities, and the geolocation of IP addresses.
And they also do some manual review of the code as well.
So what we do once that baseline is established is we just monitor for any changes to that code.
And this kinda comes back to there's no need to install anything to, use our service.
We actually had one of our pen testers that was helping us with the research of the product. He found a page that was using a competitor solution, but they require JavaScript to be installed. He was able to actually deactivate the JavaScript so that we could run our scan and then reactivate it once we didn't once we're done. Right? It's important just as the hacker doesn't know just as we don't typically know that the hacker's there, the hacker doesn't know that our tool is running in the background as well. So we're trying to turn the tables on them.
And so if any new code is introduced into the page, we pull that and start to analyze it because it's a change in what we typically expect from the baseline we established.
And so once those changes are identified, we alert on those changes. The threat intelligence center will review them to see if they're malicious or if this is just kind of an an update to your site that you're going through. And there's things that they can work with you to set to make sure that we're only pulling what activity we need.
But if there's something that's changed, we review it. If it's malicious, that's when they have to really decide if they wake you up at two in the morning to do something about it, or if it can wait till the next day and just document a report and send that over to you. Some things might just be suspicious or some things might just need remediation so you can prevent compromise in the future.
And some things might be malicious and you could be leaking card data today, and we've seen that, a number of times. So we alert on those changes and, you know, the the SOC team, the threat intelligence center, they have, access to resources. You know, if if it's beyond their expertise, they can engage our pen test team and our forensics team to pull in additional resources. So it's it's a team of people that have essentially eyes on glass monitoring your site for any changes in malicious activity to, you know, prevent much card data from being stolen and to reduce that time frame, right, to minutes instead of days of being compromised.
So, just quickly reviewing and I know I've I'm supposed to be twenty minutes here. I'm a little bit over, but, you know, using we we only use your existing website. We don't make any modifications. None of that's needed for the tool to function.
The the most that we've had to do, we had a customer using Akamai, so we had to white list so that it wouldn't block our service, but that's the extent of what we had to do. So really no setup required.
We can monitor multiple pages at the same time, and you can determine or tell us the cadence at which you want the scan to run, whether that's daily, hourly, ongoing.
You know, it's it just essentially will just run through the page and start over again. Right? It can do it that frequent.
We give you a list of the scan history so that you can identify patterns and keep your site free from infection. That's also something that we'll monitor on our end and really just monitor. It's it's non intrusive. It doesn't disrupt your business, and and it's detecting, you know, potential breaches and helping keeping your business secure.
So, you know, we we like to think of this product as it saves you money in the long term. Right? We know the cost of a breach. We know what happens to your brand if you're compromised and people don't feel confident shopping on your site anymore. So what we do is, you know, you receive a a segmented list of unresolved, ignored, resolved threat indicators to help you stay organized as you work to keep your site safe and you can prioritize those things.
You know, as you work towards a secure shopping cart checkout experience, know that you can also rely on our team that's here twenty four seven to support you through that process.
And always we've always said you save money by being proactive in your detection efforts, rather than being reactive after a compromise, after you receive a letter in the mail saying you need to do a forensic investigation now because you've had malware and we don't know how long it's been there.
And we feel that shopping cart monitor really adds value and complements those tools like vulnerability scanning and some other monitoring services that you might already have installed as a business to, you know, effectively improve your overall security in that footprint.
You know, and it's our goal to really just protect your company's brand and help you build trust with your customers in the ecommerce space and shopping online.
So that's the the presentation. That's the webinar.
I think there are some questions that have come through, and I'm gonna see if I'm able to answer these.
So one question was, who really needs to be concerned about this? Is this more for an Amazon or Walmart sized ecommerce platform or enterprise level?
That's a great question.
We've seen skimmer tax affect all different types and sizes of businesses.
And businesses that feel like they're, you know, really, really secure already.
I I would say probably more for even the smaller end business. I think this this offers a lot more value for those that might not have the resources to, you know, actual security teams and security resources to protect their business. Right? We're taking that work off your plate to say, let our guys that are the experts in the industry monitor your site, that have that expertise and that knowledge and can help, reduce that time of compromise.
Right? If something happens, we're gonna notify you and give you the details so that you can work with your hosting provider, your web site provider to remove those things, and that's what we've done for other customers. So, hopefully, that answered your question. But there is also a lot of value on the enterprise level as well just because it's hard to find existing tools to do what we're doing and the way that we're doing it.
So the next question was, how much impact would this scanning tool have on my system, AKA how much downtime would it cost to my website? So there is virtually no impact to your website. We say the amount of impact is the same as just another user on the site. Really, that's all we're doing is we're going through that shopping cart experience just like another user would, and it's the same exact impact as just someone else on your website. That's all the impact it has.
In our research, you know, we were scanning some other sites and really nobody would know that we're there.
And we actually had to call it was over ten companies to tell them they had been compromised.
Most of which they received it okay. Some of it were a little suspicious, but we were able to help them. They had no idea we're there, and and we detected that they were leaking car data today. Right?
So really there is no impact, to your site.
Another question was, is there a specific industry that needs this tool more than others?
Yeah. I mean, I I would say, no. I I would say all industries are affected. If you take a credit card or if you have sensitive data that's entered into a page online, this tool is applicable to your industry.
That's kind of the unique thing about you know, we're very heavily in PCI, which is a payment card industry, and it affects businesses everywhere because most everyone takes credit card data. And now if your company isn't online and have has a shopping cart, you know, it's kinda behind the times. Right? That's where everyone is moving to, and it's becoming so popular now. And it's becoming, you know, that new attack vector for malicious actors. So if you have sensitive data that you wanna protect on the website, this tool applies to you.
How much does the tool cost? Great question.
So the tool the pricing of the tool is based on the number of pages that you wanna test and then also the frequency of scan. Some of the things you need to consider, and this is things we've discovered in our, research, is we've seen just because it's a single page, we've seen companies offer different versions as in languages of that page, and we've seen vulnerabilities exist in, like, a a page that's offered in Spanish where it didn't exist in a page that was offered in English. And so you wanna consider what your footprint is and what you're scanning, but we base our pricing based off of number of pages being scanned, and frequency of that scan. But I would say on average, the cost of the solution's right around between ten to fifteen thousand dollars per year, which is like eight hundred to, twelve hundred dollars per month.
Next question was, how can I get even more information about this tool? So I am not the security expert. I am on the sales side, but we have, other resources. If you wanna have a call, we can do a more in-depth demo, a more technical demo if you wanna bring your team on to find out more about the tool and answer your questions.
Happy to have that call. You know, you have my email there. And then we have data sheets. We have things online that you can go, today and go to our website and research more and download some, PDFs or, you know, future podcasts or webinars, but we're trying to put out as much information as we can. If there are specific questions that you can't find answers to online, please email me. We can set up a call or I can chase down the answer and email you back.
But I think that's all the questions that we have so far.
If anything else comes up, please let me know. We're we're happy to help how we can. You know, I I, love jumping on calls. I I don't charge for my time like most of the people in our company do. So you can utilize me as as much as you need, and I'm and I'm always happy to help. So, let us know what we can do, and, hopefully, you you took down my email. But if there aren't any other questions, thank you for for being here.
.svg)
