Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Costco Hit by Card Skimming Attack Heading Into Holiday Season

Costco, one of the world’s largest retailers, has warned customers that they may have had bank card details stolen, following reports that payment card skimming devices were discovered at Costco warehouses.

Costco, one of the world’s largest retailers, has warned customers that they may have had bank card details stolen, following reports that payment card skimming devices were discovered at Costco warehouses.

“If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card expiration date, and CVV,” Kevin Green, VP Midwest region operations at Costco, wrote in a letter to potentially affected customers.

The letter, dated November 5, 2021, was uploaded to Documentcloud by Bleeping Computer.

The letter offers customers who may have been affected free credit monitoring from IDX for 12 months, but provides no further details on the device itself, nor the period in which it was operational. 

It was discovered “as a result of regular pin pad inspections conducted by Costco personnel.” It was therefore potentially operational for any part of the period between this and the previous inspection. Fox Business reports that a total of five skimmers were found in four different Chicago-area warehouses during pin pad inspections at the end of August. 

“The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers,” comments Randy Watkins, CTO at managed detection and response firm Critical Start.

Armen Najarian, chief identity officer at Outseer, warns that we can expect to see a growth in such attacks as we get closer to the holiday season – a threat made worse by staff shortages cause by the pandemic. “As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes,” he said. 

“All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”

Advertisement. Scroll to continue reading.

Such physical attacks only affect the users of the compromised devices and should not be confused with the software skimming technique of a Magecart attack.  At Black Hat Europe on November 10, 2021, external attack surface management firm Cyberpion announced the possibility of a new wave of Magecart attacks. It analyzed more than 30,000 Magecart vulnerabilities over the last two years and found that more than 10,000 are still active. 

“There were also severe lapses in enterprises disclosing security vulnerabilities or exploits occurring along their digital supply chains to their customers, ultimately placing all connected organizations at severe risk of a critical breach.”

Magecart is the common name for a style of cyber attack used by multiple threat actors. Hackers compromise third party code (typically JavaScript that runs in browsers) to steal, or scrape, information such as credit card data from web-applications (for example, online checkout software) or websites that incorporate the code. Big name victims of such attacks include British Airways and Ticketmaster in 2018, Forbes magazine in 2019, plus local US government portals and messaging service Telegram 2020.

“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. “Victims are often the last to know as it’s only later that organizations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.”

Related: Online Retailers Ill-Prepared for Holiday Season

Related: Hackers Favoring Shimmers Over Skimmers for ATM Attacks

Related: Hunting for Magecart With URLscan.io

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.