Costco Hit by Card Skimming Attack Heading Into Holiday Season

Costco, one of the world’s largest retailers, has warned customers that they may have had bank card details stolen, following reports that payment card skimming devices were discovered at Costco warehouses.

“If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card expiration date, and CVV,” Kevin Green, VP Midwest region operations at Costco, wrote in a letter to potentially affected customers.

The letter, dated November 5, 2021, was uploaded to Documentcloud by Bleeping Computer.

The letter offers customers who may have been affected free credit monitoring from IDX for 12 months, but provides no further details on the device itself, nor the period in which it was operational. 

It was discovered “as a result of regular pin pad inspections conducted by Costco personnel.” It was therefore potentially operational for any part of the period between this and the previous inspection. Fox Business reports that a total of five skimmers were found in four different Chicago-area warehouses during pin pad inspections at the end of August. 

“The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers,” comments Randy Watkins, CTO at managed detection and response firm Critical Start.

Armen Najarian, chief identity officer at Outseer, warns that we can expect to see a growth in such attacks as we get closer to the holiday season – a threat made worse by staff shortages cause by the pandemic. “As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes,” he said. 

“All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”

Such physical attacks only affect the users of the compromised devices and should not be confused with the software skimming technique of a Magecart attack.  At Black Hat Europe on November 10, 2021, external attack surface management firm Cyberpion announced the possibility of a new wave of Magecart attacks. It analyzed more than 30,000 Magecart vulnerabilities over the last two years and found that more than 10,000 are still active. 

“There were also severe lapses in enterprises disclosing security vulnerabilities or exploits occurring along their digital supply chains to their customers, ultimately placing all connected organizations at severe risk of a critical breach.”

Magecart is the common name for a style of cyber attack used by multiple threat actors. Hackers compromise third party code (typically JavaScript that runs in browsers) to steal, or scrape, information such as credit card data from web-applications (for example, online checkout software) or websites that incorporate the code. Big name victims of such attacks include British Airways and Ticketmaster in 2018, Forbes magazine in 2019, plus local US government portals and messaging service Telegram 2020.

“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. “Victims are often the last to know as it’s only later that organizations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.”

Related: Online Retailers Ill-Prepared for Holiday Season

Related: Hackers Favoring Shimmers Over Skimmers for ATM Attacks

Related: Hunting for Magecart With URLscan.io