Europol identifies hundreds of e-commerce platforms used in digital skimming attacks

Europol joined law enforcement agencies from 17 countries in warning 443 online sellers that the payment card data of their customers had been compromised.

In a press release on Friday, the agency said the two-month operation was led by Greece and supported by cybersecurity firms Group-IB and Sansec — two companies with experience monitoring digital skimming attacks.

In skimming attacks hackers embed tools or malware onto e-commerce sites that allow them to siphon credit card information from online stores during the checkout process. The tactic has long been a problem for popular internet sellers.

With the help of several incident response teams and the European Union Agency for Cybersecurity (ENISA), hundreds of unnamed websites were notified that they were being used by hackers for digital skimming attacks.

“Digital skimming attacks can go undetected for a long time. Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet,” Europol said.

“Customers are usually not aware that their payment details have been compromised until the criminals have already used them to carry out an unauthorized transaction. Generally, it is difficult for customers to find the point of compromise.”

All of the law enforcement agencies worked with the online stores, providing technical assistance to help them remove the tools and protect customers.

The countries involved in the effort included the United States, United Kingdom, Germany, Colombia, Spain, the Netherlands and more.

The payment fraud industry has shown signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine in 2022, according to an annual payment fraud report from Recorded Future, which owns The Record.

Researchers found 119 million cards posted for sale on dark web carding shops, with an estimated $9.4 billion in preventable fraud losses for card issuers and $35 billion in potential chargeback fees for merchants and acquirers in 2023.

In 2022, e-skimmers led to 45.6 million compromised payment card records posted for sale on dark web platforms, according to last year's report.

The type of stores embedded with e-skimmers in 2023 included restaurants — which accounted for 18.5% of all victim companies — automotive parts sellers, clothing stores, and more.

The U.S. had the most cards available with more than 50 million on the dark web. No other region or country tracked had more than 2.5 million.

“Looking ahead to 2024, fraudsters are expected to refine their tactics, continuing to compromise cards using both old and new methods. Stolen payment cards from North American and European financial institutions led in volume throughout 2023 and are likely to persist in 2024.

“The report concludes that in 2024, fraudsters will likely combine sophisticated technical solutions, nuanced workflows, and social engineering tactics to bypass rules-based fraud detection.”