How threat actors steal credit cards: the evolution of credit card attacks in the past decade

Threat actors have been trying to steal credit cards for decades. And they are still thriving!
How do they do it? And how can we ensure that we are protected?

Back in 2010, the focus of threat actors was laid at rest. Meaning where the databases were stored. As such, the focus of security on that end was network security. Segmentation and access controls are key to keeping the data safe and preventing credit card attacks.

This is not a magic recipe for security. If someone gets to the network segment where your server is, then the data’s security relies on the server’s security. Therefore, we must ensure that the server is also hardened. As you can imagine, we can find more steps in the process until we get to ensure that the data in the database is encrypted and salted so we make sure that even if the attackers end up with the data, they won’t be able to use it.


If you are wondering if that is possible, that is partially possible. If we had a reasonably secure database from the early 2000s now in our hands, the chances are that with a simple laptop, we could probably crack into it and retrieve the data. Therefore, there is no such thing as a 100% secure system. Nevertheless, a system is safe if, on average, it takes an attacker longer to obtain the data than the helpful lifetime of the data.

This last statement may be confusing, but it is relatively simple. If we have a password that changes every day, we need to ensure that an attacker would take more than a day to crack the information. And that solves the problem once and for all.

But…. There is always a but. The harsh truth is that if an attacker gains access to your system, they can retrieve the first set of information and crack it over time. But at that point, they will know which encryption you use. And some other details that would facilitate faster access to the information the next time they get in. Guess what? Unless we had some alerts from our Intrusion Detection System (IDS), we might not have even been aware of the infiltration. That means they can use the same attack pattern to get back into our systems.

what is the solution?

There is no one-size-fits-all approach, but philosophically, the solution is in-depth defense. Defense-in-depth means having different sets of protections at various levels working together to ensure that we harden our systems from different perspectives, so if they get through the firewall, we catch them with the IDS/IPS. If they avoid detection, we can use UEBA to get an alert and start investigating. If not,
You get the idea.

However, methods have changed credit card attacks are not the same. We are no longer in the 2010s. We are in the 2020s and halfway through!

Attackers have become smarter and are trying to exploit web applications rather than infrastructure. As more and more computing gets to the websites instead of applications installed on computers, so do their techniques.

Web pentestings are in demand these days, and for a good reason. Can you imagine the trouble that an attacker has to go through to breach your company’s network and then get inside a server, and if it is even the right one?

All these efforts can be avoided if you use an outdated version of any Content Management System (CMS) like Drupal, Joomla, or WordPress. Most of the vulnerabilities on any well-known system are published, and this means attackers are aware of them.

If, for whatever reason, they know that the software your site is running is vulnerable to a specific type of attack. Threat actors will exploit it and get to your website; if this is online commerce, you might think they can try to steal products or access user data. And that is true in some cases. Moreover, a more elegant solution is to sneak some suspicious code of JavaScript(JS) into the page and receive a copy of all the card info as the users input them.

This later technique, widely used nowadays, as in the case of Avery, is much harder to detect as attackers don’t need to interact actively with your site once the original interaction is over. Now, the site sends the data to them in a much more comfortable way and with minimal risk of triggering any alerts.

As mentioned before, Avery, a billion-dollar company, suffered from a security incident last year that caused more than 61 thousand customer data to be exfiltrated to the attackers. This was an interesting case, but there are many smaller credit card attacks that do not make it to the public. After an internal investigation, the company confirmed that a card skimmer was installed on ‘avery.com,’ the company’s online shop domain, on July 18, 2024. The incident potentially impacts all customers who shopped there until December 9, 2024.

to prevent these type of attacks:

A good starting point is to:

  • Sanitize and Validate User Input
  • Use Content Security Policy (CSP)
  • Keep Software and Libraries Updated
  • Implement Strong Access Controls
  • Use Web Application Firewalls (WAF) in complement with other infrastructure firewalls
  • And as explained in the article, ensure that your infrastructure is protected with defense-in-depth.

https://www.bleepingcomputer.com/news/security/label-giant-avery-says-website-hacked-to-steal-credit-cards

If you have any questions or want to reach out, feel free to visit my contact page:
https://salvadorbeltran.cat/contact/

If you found this article interesting check out other cybersecurity snippets in my blog:
https://salvadorbeltran.cat/blog/

Scroll to Top