Full Report
Explore 2024 payment fraud trends with Recorded Future: e-skimming, scam e-commerce, dark web insights, and 2025 predictions.
Analysis Summary
# Incident Report: Rise in Payment Fraud and E-Skimming Activity (2024 Review)
## Executive Summary
The year 2024 saw a significant evolution in payment fraud, characterized by a surge in stolen card data—269 million records posted across illicit platforms—and a threefold increase in Magecart e-skimmer infections targeting e-commerce sites. This activity was largely driven by readily available e-skimmer kits and the exploitation of vulnerabilities like CosmicSting. Response efforts focused on identifying compromised merchant environments and recommending enhanced validation for digital wallets going forward.
## Incident Details
- Discovery Date: Ongoing observations throughout 2024 (as reported in the 2024 Payment Fraud Intelligence Report)
- Incident Date: Spanning throughout 2024
- Affected Organization: Multiple e-commerce businesses and financial institutions globally (implied)
- Sector: E-commerce, Financial Services
- Geography: Global, with noted activity centered in the UK and Hong Kong for scam merchant hosting
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2024
- Vector: Exploitation of web application vulnerabilities on e-commerce platforms (e.g., CVE-2024-34102/CosmicSting) and distribution of generic e-skimmer kits.
- Details: Attackers deployed Magecart e-skimmers across nearly 11,000 unique e-commerce domains to harvest payment card data during transaction processing.
### Lateral Movement
*(Not explicitly detailed regarding internal network movement, focus is on web application compromise.)*
### Data Exfiltration/Impact
- Data Stolen: 269 million payment card records and 1.9 million stolen US bank checks.
- Impact: Compromise of card-not-present (CNP) transaction data, impacting both merchants and consumers.
### Detection & Response
- Detection: Analysis of underground marketplaces (dark and clear web) showing volume spikes.
- Response Actions: Mitigation strategies included urging acquired merchants to close e-commerce vulnerabilities and increasing rigor in merchant onboarding processes.
## Attack Methodology
- Initial Access: Exploitation of vulnerabilities (e.g., CosmicSting) leading to the deployment of e-skimmers (e.g., Sniffer by Fleras on compromised e-commerce sites).
- Persistence: Use of established e-skimmer kits and fraudulent merchant accounts.
- Privilege Escalation: *(Not explicitly detailed)*
- Defense Evasion: Utilizing existing vulnerabilities and widely available, off-the-shelf kits.
- Credential Access: *(Focus was on payment data, not standard credentials)*
- Discovery: Reconnaissance likely involved scanning e-commerce platforms for known vulnerabilities.
- Lateral Movement: *(Focus was on web skimming across transactional layers)*
- Collection: Capturing card primary account numbers (PANs) and related data during checkout.
- Exfiltration: Posting data to dark and clear web marketplaces.
- Impact: Financial fraud and identity compromise via stolen payment credentials.
## Impact Assessment
- Financial: Significant undisclosed losses related to counterfeit fraud stemming from 269 million compromised card records.
- Data Breach: 269 million payment card records and 1.9 million US bank checks exposed.
- Operational: Disruption to e-commerce platforms due to ongoing skimming infections.
- Reputational: Damage to consumer trust in affected e-commerce sites.
## Indicators of Compromise
- Network Indicators: *(Specific hardcoded indicators are not provided in the summary)*
- File Indicators: Use of known e-skimmer kits (e.g., Sniffer by Fleras).
- Behavioral Indicators: Unusually high volume of card-not-present data being processed or seen on underground forums; deployment of JavaScript-based skimmers on checkout pages.
## Response Actions
- Containment: Identifying and urging merchants to close specific vulnerabilities (CosmicSting) affecting e-commerce sites.
- Eradication steps: Removing malicious e-skimmer code from compromised domains.
- Recovery actions: Increasing validation requirements for digital wallet provisioning.
## Lessons Learned
- The current reliance on generic e-skimmer kits makes targeted payment system Compromise highly scalable.
- Exploitable weaknesses in third-party code or known vulnerabilities (like CosmicSting) remain primary doors for supply chain/web compromise.
- Telegram remains a persistent, decentralized channel for disseminating fraud data.
## Recommendations
- Organizations must aggressively identify and remediate vulnerabilities on e-commerce websites that enable Magecart e-skimmer infections.
- Increase rigor and vetting during merchant onboarding processes to prevent the establishment of fraudulent merchant accounts used to monetize data.
- Enhance validation requirements, particularly implementing push provisioning through online banking applications, for digital wallet provisioning attempts to mitigate OTP interception risks projected for 2025.