Cybercriminals continue to evolve their tactics, developing more sophisticated ways to persistently target the global payments ecosystem. With the disruption of Joker’s Stash, Emotet, Netwalker, Egregor, TA505 and numerous other cybercrime underground operations, it’s essential that organizations prepare their cybersecurity postures for the inevitable introduction of new threat actors. 

While the past year may have brought an overall reduction of the fraud rate for some channels – such as the card-present channel, likely due to restrictions put in place on brick-and-mortar merchants as a result of the COVID-19 pandemic – threats against payment systems remain. Paired with the holiday shopping surge and a new normal in which customers are far more comfortable making digital purchases, payment providers, fintech firms merchants and suppliers need to understand the threat landscape if they hope to maintain positive customer experiences.

Heading into 2022 there are three key areas where security leaders need to be well-versed: innovations in eSkimming methods, intensifying pressure from ransomware campaigns on the payments ecosystem and the supply chain, and sophisticated enumeration attacks that impact and payments ecosystem.


Innovations in eSkimming

The surge in eCommerce payment volume has made eCommerce merchants an attractive target for eSkimming malware. During the first half of 2021, Visa observed that approximately 70% of at-risk payment accounts were comprised of card-not-present data as new techniques targeting eCommerce merchants and customer payment account data continued to crop up. 

Since 2020, threat actors have increasingly leveraged web shells to facilitate eSkimming attacks. Web shells are tools used to establish and maintain access to compromised servers, deploy additional malicious files, facilitate lateral movement within a victim’s network, and remotely execute commands. At least 45 eSkimming attacks using web shells were identified throughout 2020, and the trend persisted into 2021. 

Targeting vulnerabilities in popular eCommerce platforms persisted from 2020 into 2021, but with added innovation. In one case, threat actors deliberately scanned eCommerce sites that were already infected with eSkimmers and injected their own script to steal the data from the first threat actors. Such cases exemplified the dangers of running outdated and unpatched software.

Another evolution entails using publicly available jpeg image files to exfiltrate payment account data from an infected merchant website. In March 2021, researchers discovered a new eSkimming variant that infected the PHP source code from a popular eCommerce platform provider to steal customer data and store it encoded in an image hosted on the victim’s own website, uniquely combining two techniques observed in previous attacks. This tactic effectively enabled an attacker to retrieve stolen data while disguising the action as an innocuous image request.

Lastly, eSkimming campaigns continue to use the chat application Telegram to operate as a command and control (C2) within attacks. Using Telegram enables threat actors to easily access the C2 infrastructure and exfiltrate data using varying internet connected devices. Telegram also facilitates persistence and avoids detection as the application is often permitted by enterprise anti-virus solutions.


Ransomware Operations Ratchet Up the Pressure 

While it’s widely understood that ransomware persists as a significant threat, organizations need to be aware of new developments within ransomware attacks. In fact, ransomware operations are intensifying pressure on victims. After exfiltrating sensitive data and encrypting data and systems on a victim’s environment, ransomware operators continue to apply pressure on victim organizations: one example being the targeting of victims with distributed denial of service (DDoS) attacks. Known threat actors leveraging DDoS attacks in their campaigns include the AvaddonSunCrypt, and RagnarLocker groups.

Financially motivated threat actors are increasingly targeting payment ecosystem entities with ransomware. Visa identified numerous global ransomware attacks against issuers, acquirers, and merchants. While ransomware actors are opportunistic and target any sensitive data, payment account data was specifically targeted and compromised in some of these attacks. Therefore, payments organizations need to be prepared and well-defended against evolving ransomware threats.


New Enumeration Attack Targets 

Enumeration is the scalable and programmatic automated testing of common payment fields via eCommerce transactions to effectively guess the full payment account number, CVV2, and/or expiration date. Enumeration enables actors to target numerous entities by exploiting the use of common third-party data. Threat actors carrying out enumeration attacks are increasingly targeting merchant service providers.

In one such case in early 2021, a new enumeration campaign targeted flower shops and florist merchants that shared a common third-party service provider, which supplied web design and other digital marketing services. The enumeration activity impacted 33 merchants and involved more than 2,500 enumerated transactions per merchant. While threat actors primarily targeted U.S. issuers in this campaign, the incident impacted issuers globallyThe case also demonstrated how threat actors can exploit vulnerabilities in eCommerce merchant service providers to execute testing attacks against merchants.   

In another case, a new enumeration campaign in 2021 targeted the authentication stage of transactions on eCommerce merchants. This marked a divergence from most enumeration campaigns, which are conducted in the authorization stream. 

In authentication enumeration attacks, fraudsters identify a merchant that does not have adequate security controls, such as CAPTCHA, on their website. This enables the fraudsters to automate authentication attempts on targeted accounts and iterate through the payment account values. Merchants can leverage protocols to provide an extra layer of identity verification before authorization.


Threats Landscape Forecast for 2022 and Beyond

Cybercrime operations will continue to evolve and become more sophisticated throughout 2022, particularly as major cybercrime operations have been effectively disrupted as referenced earlier throughout the course of the 2021. Card present fraud will likely see an increase in the short-term, as COVID-19 related restrictions are eased and fraudsters increasingly target brick-and-mortar merchants with skimmers and point-of-sale malware. However, with the increase in secure acceptance technology, card present data has become less attractive to cybercriminals. Ultimately, cybercrime operations will continue to primarily focus on card-not-present data obtained through eSkimming, enumeration or other tactics targeting eCommerce environments. Ransomware will remain a persistent threat to ecosystem partners globally.