Cybercriminals showed no signs of slowing down in 2022 as they employed a variety of schemes to defraud consumers, acquirers, card issuers, and merchants, according to Visa Inc.’s Spring 2023 Biannual Threats Report.
Cryptocurrency was a prime target for cybercriminals. More than $3 billion in cryptocurrency was stolen through November of 2022, according to the report. By comparison, criminals stole $2.1 billion in cryptocurrency through October 2021, according to a CBS News report.
Between January and early October 2022, the cryptocurrency ecosystem experienced 13 separate bridge attacks totaling $2 billion in thefts, with $1.3 billion stolen between January and March alone, according to Visa.
A crypto bridge is a protocol that enables two or more blockchains to work together and share data with each other by connecting the chains so users on one network can participate in the activities of another. This allows crypto users to deploy their holdings outside their native blockchains.
“A common tactic used in bridge-service attacks is the exploitation of vulnerabilities in a bridge service’s smart contracts to either forge new transactions or allow for the approval of unauthorized transactions, which allows threat actors to either mint or steal funds and move into fraudster-controlled wallets.” the report says.
Crypto thefts have become such a large problem that the Federal Bureau of Investigation recently issued a warning to cryptocurrency investors about the increase in threat actors targeting decentralized finance (DeFi) crypto services.
“As cryptocurrency and DeFi platforms continue to develop, and more virtual assets are held in consumers’ digital wallets, threat actors will likely increase their attempts at stealing money and assets through exploiting vulnerabilities such as the ones mentioned above,” Visa’s Chief Risk Officer Diego Paul Fabara says in a blog post about the report. DeFi refers to decentralized finance, a type of digital platform involving cryptocurrency.
Another tactic gaining momentum among cybercriminals is digital skimming, a tactic in which criminals deploy malicious code onto a merchant’s checkout page to scrape and harvest customer payment account data, such as primary account number (PAN), card verification value (CVV2), expiration date, and personally identifiable information. Digital skimming cases increased 174% between June and November 2022, compared to the period between December 2021 and May 2022, the report says.
“Digital skimming attacks are often the result of misconfigurations or lack of security controls, and merchants of every size can help prevent these attacks by ensuring their software is up to date,” says Fabara.
Indeed, many digital-skimming attacks exploit unpatched or outdated e-commerce payment plugins used by merchant Web sites, according the report. For example, Visa identified three separate incidents in which different threat actors targeted the same e-commerce payment plugin used by online merchants.
One of the more notable digital-skimming attacks during the past six months came against an e-commerce merchant in North America. Cybercriminals created a fake checkout page for the merchant, which was shown to shoppers and harvested cardholder data. After the data was collected, the page was removed. But the same threat actors compromised an administrator account, likely due to a weak or compromised password, and then appended malicious digital-skimming code to the merchant’s actual checkout page, according to the Visa report.
Another favored tactic of cybercriminals is enumeration attacks, in which criminals launch a brute-force assault against a Web application by testing common payment-data elements through e-commerce transactions to guess the full payment account number, CVV2, and expiration date. For example, criminals will use credentials exposed in previous breaches or social-engineering scams to attempt access to other Web sites and applications where users may have used the same login information.
The United States was the most targeted region over the past six months for enumeration attacks, with 63.5% of the attacks targeting acquirers and 38.8% targeting card issuers.
“Acquiring banks are advised to conduct thorough due diligence during the merchant onboarding phase to ensure the validity of the merchant, as many fraudulently onboarded merchants are used for enumeration and the subsequent monetization of enumerated PANs,” the report says.