6,000 Retail Sites Open To Card Skimming

A security researcher has found almost 6,000 online retailers with malicious code on their websites that is capable of stealing customer credit card information. Such attacks take advantage of known vulnerabilities in several web-based payment programs. The hackers are able to compromise the site and inject code that can skim card details.

The blog post detailing the research can be found here: https://gwillem.github.io/

WhiteHat Security has also researched retail website security and found the following:

• Around half of all retail websites exhibit at least one serious security flaw on every single day of the year
• On average, retail sites exhibit 23 unique vulnerabilities
• On average, retail sites exhibit 13 “serious” vulnerabilities, which are classed as either “critical” or “high-risk” on the OWASP risk-rating
• It takes retailers, on average, 205 days to implement an appropriate fix once they are made aware of a vulnerability
• Retailers are prioritising and rectifying just under half of the website vulnerabilities they are made aware of

WhiteHat team commented on this research below.

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security: 

“Retailers clearly have a big part to play in website security. These organisations represent thousands of consumer-facing web applications and are responsible for holding both personal and financial information. Despite this, our application security researchers have found that about half of all retail websites exhibit at least one serious security flaw on every single day of the year. On average, the retail sites studied exhibited 23 unique vulnerabilities. Retailers are simply not able to resolve all of the serious vulnerabilities found in their web applications, and it takes them a long time to remediate even the most serious vulnerabilities – on average, 205 days to implement an appropriate fix. The existence of multiple serious vulnerabilities not only increases the total business risk that retail organisations assume, but also the risk that they pass along to users of their vulnerable websites. By prioritising the critical and high–risk security flaws for remediation, retailers stand a good chance of reducing the number of days that serious vulnerabilities remain open to attack.”