SINGAPORE - A skimming software is said to have infected multiple e-commerce websites that are frequented by Singaporeans, resulting in the data of more than 1,700 credit cards being stolen and sold on the Dark Web in a single database - one of the biggest cases here.
Singapore-based cyber security firm Group-IB said that this database is one of the many that have contributed to the 26,102 compromised payment cards issued by Singapore banks that it has found sold on the Dark Web from January to August this year. The estimated underground value of these cards is US$1.8 million (S$2.5 million).
The firm said that online card skimmers use malicious software designed to intercept payment card details from infected websites and sell the data on the Dark Web, which is a part of the Internet that is accessible only through special software, allowing users to remain anonymous or untraceable.
The case involving the e-commerce websites contained details belonging to 1,726 payment cards issued by Singapore banks.
Group-IB said this figure is significant because on average, the number of compromised credit cards related to Singapore in a single database uploaded on the Dark Web rarely exceeds several hundred cards, based on its review period of January to August.
When asked by The Straits Times what were the infected e-commerce websites, the firm declined to reveal them but did say that they were websites frequented by Singaporeans and are based both locally and overseas.
Singaporeans are known to shop on e-commerce websites, be it those based here like Shoppee and Lazada, or those based overseas, like Amazon, eBay and Taobao. A study by online saving platform Flipit in 2017 showed that three in five Singaporeans shop online.
It acts as a digital equivalent of a traditional credit card skimmer - a small device installed on ATMs that intercepts bank card details. JS-sniffers can intercept different types of payment and other personal details too.
The firm said: “Usually, a few lines of code injected into websites can capture data entered by customers, such as payment card numbers, names, addresses, passwords etc. A multi-linked chain of victims of JS-sniffers includes online shoppers, online stores, payment systems and banks.
“Quite often, neither a customer nor a website owner can detect the activity of JS-sniffers.”
JS-sniffers are also known as online skimmers, form-jackers as well as MageCart, which was the name given to them by cyber-security firms Risk IQ and Flashpoint. They were the first to publish a joint report on the activities of such cyber criminals.
A report that Group-IB issued in April said that JS-sniffers have infected 2,440 websites around the world. The report said that JS-sniffers are capable of injecting fake Web forms disguised to look like legitimate payment forms from companies like PayPal and Stripe, in order to steal customer payment data from online stores.
Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said that when data theft takes place, owners might not realise it straightaway as bad actors might not be making use of the data yet.
“In other forms of theft, you realise straightaway that your wallet or car, for example, has been stolen,” he said.
“The only time you realise your data is missing is when an unauthorised transaction has been conducted. Even then this might take a few days to reach you.”
Mr K.K. Lim, head of cyber security, privacy and data protection at law firm Eversheds Harry Elias, pointed out that on the Dark Web, the buying process is hidden, and thus those whose details have been stolen might not be aware of it.
Group-IB advises online shoppers to use separate cards for their e-commerce shopping, like a debit card used exclusively for online purchases, or cards with stored values.
Its founder and CEO Ilya Sachkov said: “The admins of e-commerce websites, in their turn, need to keep their software updated, carry out regular cyber-security assessments of their websites and not hesitate to seek assistance from specialists.
“It should be noted that the statistics that we observed could be higher, if not for the vigilant cyber-security authority who has been prompt in detecting websites infected with JS-sniffers.”