Meet Merry Maker: How Target Protects Against Digital Skimming

February 1, 2022

Chris Carlson

Senior Director, Cybersecurity

Credit card skimmers are custom-made additions to payment devices (like ATMs or gas pumps) that criminals build and use to steal a consumer’s payment information. The threat also exists in digital form, as malicious code covertly inserted into websites to steal credit card information. And with many more people shopping online, protecting against digital skimmers is more important than ever.
 
A Proactive Defense
 
Several years ago, we built our own system and technology when we realized there were no readily available solutions in the market to defend against digital skimming. The first step, which would be the most immediate way to lower risk, was to remove significant amounts of third-party code from Target.com. This was also quite a disruptive approach given holiday season was right around the corner and we were entering peak operations time. We were very thoughtful as we removed the code to ensure the website remained stable and to maintain a frictionless guest experience throughout the process.
 
Once completed, we then pivoted to identifying a way to detect the presence of digital skimmers on Target.com. We focused on a few key processes:
 
  • Preserving a baseline of our existing payment pages by saving the code being served by Target.com along with the network traffic generated by test payment transactions
  • Scanning the saved code for any malicious indicators
  • Scanning the saved network traffic for any potential compromise
 
Two Target security developers, Principal Engineer Eric Brandel and Distinguished Engineer Caleb Walch, then designed and built Merry Maker as an in-house tool to execute on the entire process at scale. Merry Maker continually simulates online browsing and completes test transactions to scan for the presence of malicious code. Merry Maker acts like a guest on Target.com by completing several typical activities including online purchases. While doing so, the tool gathers and analyzes a variety of information including network requests, JavaScript files, and browser activity to determine if there’s any type of unwanted activity.
 
Merry Maker’s purchases are flagged as test orders internally so that they don’t get processed, but otherwise, everything happens behind the scenes just as it normally would during check out. If any possible malicious activity is detected, Merry Maker triggers an alert to Target’s 24/7 Cybersecurity Incident Response Team to prompt an investigation. We also routinely work with Target.com partners and vendors to remove unnecessary third-party JavaScript from sensitive pages.
 
An Open Defense
 
Since its launch in 2018, Merry Maker has completed over one million website scans, and we’ve filed multiple patent applications. And why the name Merry Maker? The technology was launched right before Thanksgiving in 2018 and we nicknamed it for its ability to help keep the holiday shopping season – and all shopping occasions – safer and merrier.
Today we’ve open sourced the Merry Maker framework along with several detection rules in the hopes that this information helps other cybersecurity teams stand up their own customized defense. Digital security is a team sport – a threat to one is a threat to all – and entities need to work together to create safe online environments for consumers. We’re proud to be a leading sharer and collaborator across the retail industry and we hope Merry Maker helps others protect against digital skimming attacks.
 
Click here to access the Merry Maker open source project.
Click here to read a technical behind-the-scenes of how Merry Maker works in real-time and how we built it.

RELATED POSTS

Behind the Scenes of Merry Maker

By Eric Brandel and Caleb Walch, February 1, 2022
We recently introduced Target’s cybersecurity tool “Merry Maker” and open sourced the framework to help others protect against digital skimming.