Kurhan - stock.adobe.com

Black Friday cyber warning for 4,000 card-skimming victims

NCSC warns thousands of small retailers that their websites are being exploited to steal customer data

The annual Black Friday and Cyber Monday retail security warnings have started to drop in the form of fresh National Cyber Security Centre (NCSC) guidelines for retailers alongside direct notifications to over 4,000 small business sites where the UK’s cyber security agency found customer payment details were being stolen by online credit card skimmers.

The NCSC said that up to the end of September its Active Cyber Defence (ACD) programme had identified 4,151 online retail websites that were unwittingly “hosting” credit card skimmers, which exploit vulnerabilities in checkout software to divert payments and steal customer data.

Many of these were compromised by a long-disclosed vulnerability in Adobe’s Magento product, which despite repeated warnings, many small businesses are failing to update, either out of lack of IT capacity or ignorance.

“We want small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period,” said Sarah Lyons, deputy director for economy and society at the NCSC.

“Falling victim to cyber crime could leave you and your customers out of pocket and cause reputational damage. It’s important to keep websites as secure as possible and I would urge all business owners to follow our guidance and make sure their software is up to date.” 

“I would urge all business owners to follow our guidance and make sure their software is up to date”
Sarah Lyons, NCSC

Graham Wynn, director of consumer, competition and regulatory affairs at the British Retail Consortium (BRC), added: “Skimming and other cyber security breaches are a threat to all retailers. The British Retail Consortium strongly urges all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end-of-year period.”

The full NCSC guidelines on safely running a small business online can be found here. It also offers advice for consumers to better protect themselves while shopping virtually.

The holiday spike in online fraud and digitally enabled crime against retailers and their customers – which kicks off this week in earnest ahead of the US Thanksgiving holiday on Thursday 25 November – has now become as time-honoured a tradition in the cyber security community as the holidays themselves.

Kaspersky, for instance, has already observed increases in phishing attempts against users of online payment services, as well as multiple spam email campaigns using the Black Friday sales as a lure.

Check Point data group manager Omer Dembinsky said his systems were currently seeing more than 5,000 new malicious websites being established every week, an increase of nearly 200% compared with the 2021 average.

“Hackers are doubling down on the strategy to lure consumers into fraud through ‘too good to be true’ offers, promising large discounts such as 80% or 85% off. Their strategy is to capitalise on a consumer’s excitement after showing an eye-popping discount. I strongly urge consumers to beware of these ‘too good to be true’ offers as they shop online,” said Dembinsky.

“You can protect yourself by being attentive to lookalike domains, shopping from reliable sources and spotting password reset and other account-related notifications that show excessive urgency. Do not click these links, and if needed, go directly to the website and change details from your account.”  

Read more about online fraud

Read more on Hackers and cybercrime prevention

Data Center
Data Management