What is Skimming in Cybersecurity? How to Detect and Prevent a Skimming Attack

Web skimming is when hackers and fraudsters use malicious code to steal credit card information from e-commerce websites. In addition to payment card details, web skimming attacks can also steal personally identifiable information (PII) from unsuspecting customers. Cybercriminals use the stolen data for unauthorized purchases, identity theft, or resale.

Also referred to as digital skimming, online card skimming, or e-skimming, web skimming is a common cybercrime. Authorities estimate that web skimming in the USA rose 368% from 2021 to 2022.¹ Web skimming attacks can result in substantial financial losses for businesses and severely damage their reputations. Major international companies including airlines, electronic manufacturers, and retailers have lost millions of dollars due to web skimming attacks.^2,3,4

Any type of e-commerce business is vulnerable to a web skimming attack. In this article, we detail how web skimming works and explain how to protect your business from a web skimming attack.

What are skimming attacks?

The term skimming refers to removing a thin layer of material from a surface. When talking about crime, skimming is used as a metaphor for how fraudsters steal confidential information from unsuspecting victims.

The widespread adoption of automatic teller machines (ATMs) during the 1980s led to the rise of skimming attacks. Physical skimming attacks are carried out by attaching a device to a card reader. When the card is swiped, the device steals the data contained on the magnetic stripe. As well as ATMs, skimming devices can also be fitted to fuel pumps and point of sale (POS) terminals.

With the introduction of digital payment systems, criminals developed new ways of stealing payment details and PII from e-commerce websites via malicious code.

What is skimming in cybersecurity?

Skimming works in much the same way in the digital world that it does in the real world. Instead of planting a physical skimming device, cybercriminals use sophisticated malicious code injections to gather payment data from online payment forms. Often, the site owner is unaware that their e-commerce website is infected.

In many cases, a skimming attack is part of a detailed phishing scam. Unsuspecting users are sent emails with links that direct them to fake e-commerce websites with checkout fields that capture and store their data. These fake sites are known as spoofed websites. They can look remarkably like legitimate sites, but instead of providing a service they intend to steal sensitive information.

Web skimming is also referred to as Magecart attacks. The name Magecart was coined because e-commerce sites hosted on the Magento platform were common targets for web skimming hacker groups. Although web skimming attacks now occur across a broad range of platforms, the term Magecart attack is still in use.

All instances of web skimming require the use of sophisticated code. Unfortunately, these attacks have become more common because fraudsters and hackers no longer need to be able to write e-skimming code from scratch. Advances in machine learning and artificial intelligence have made it easier than ever to acquire and implement a skimming attack. Cybercriminals can purchase ready-made skimming kits, exploit existing malicious scripts, or use automated tools to inject malware into vulnerable websites.

How does web skimming work?

A web skimming attack is accomplished by infecting an e-commerce site with malicious code either via malware or by exploiting security vulnerabilities. Cybercriminals exploit vulnerabilities in fourth- or third-party scripts (often code that is written in JavaScript) that are used by the website. These outside scripts are usually linked to the e-commerce website via a separate credit card processing page or are on the checkout page.

Malicious skimming code can also be injected via cloud storage containers like Amazon S3 buckets that have been misconfigured to be publicly accessible. GitHub repositories also often provide hackers and fraudsters with pathways to gain access to exposed application programming interface (API) keys and credentials.

These vulnerabilities provide cybercriminals with an entry point where they can inject malicious code that collects data in real-time. As users unwittingly enter payment information into seemingly normal checkout fields, skimming scripts capture the card details and immediately send them to attacker-controlled servers.

What is the impact of web skimming attacks?

Web skimming gives cybercriminals access to debit card and credit card details that can be used to make unauthorized online shopping purchases and fraudulent transactions. Stolen card data is also often sold to other cybercriminals via marketplaces hosted on the dark web.

However, unlike the physical skimming of debit and credit cards, e-skimming fraudsters and hackers can obtain much more than just card numbers. Data breaches caused by digital skimming also provide cybercriminals with access to PII and sensitive information. These personal details are used to commit identity theft or sold on the dark web.

In 2022, e-skimming attacks resulted in 45.6 million payment card records being offered for sale on dark web platforms.⁵ It’s estimated that an average of 185 cards were compromised per skimming incident.⁶ While it is difficult to ascertain the exact cost of web skimming, the FBI has reported that e-skimming scams result in annual losses exceeding $1 billion for cardholders and financial institutions.⁷

A business that has been the target of a web skimming attack also suffers severe reputational damage. Customers who have had data or PII stolen will be less likely to trust the business in the future. This can lead to decreased sales and even potential legal consequences. A skimming attack can result in breaches of data protection regulations such as the General Data Protection Regulations (GDPR) or the California Consumer Privacy Act (CCPA).

Are web skimming attacks hard to detect?

E-skimming attacks can be very difficult to detect, happening in real-time and leaving no obvious traces. Web skimming operates on the client side, meaning that cybercriminals don’t need to break into servers or penetrate deep security layers.

Cybercriminals also employ a variety of techniques to hide their activities. Malicious JavaScript can be hidden within legitimate scripts, so it looks like a normal website function. E-commerce sites contain hundreds of lines of code, so it is very easy to hide the few lines of code skimmers require.

How to protect your business from skimming attacks

While skimming attacks are commonplace and hard to detect, there are measures you can take to protect your business:

• Conduct regular audits of your website and keep an up-to-date inventory of your web assets.
• Regularly scan client-side applications to identify any anomalies.
• Make sure your JavaScript libraries are patched and updated and are not on any blacklists.
• Only use plug-ins, widgets, extensions, or third-party scripts from reputable sources.

Businesses are well advised to use proactive security measures like Content Security Policies (CSPs), Subresource Integrity (SRI), regular security audits, and behavior-based detection. These measures can detect web skimming attacks before they cause damage.

One of the most effective ways to protect your website from cybercriminals is to use an automated payment fraud detection program to constantly scan and monitor your site. To deliver complete protection across your entire digital attack surface, DataDome has partnered with Source Defense, a specialist in client-side security and payment page protection. Source Defense provides continuous script monitoring, threat detection, and anomaly alerts to help you avoid expensive breaches, safeguard cardholder data, and preserve customer trust. You can protect your business and your customers from e-skimming attacks and instances of API fraud.

If you operate an e-commerce website, then by March 2025 you must comply with the new PCI DSS 4.0 requirements. These standards require businesses to implement continuous monitoring, inventory, and security controls for all payment pages. Source Defense ensures compliance with all PCI DSS 6.4.3 and 11.6.1 client-side requirements. Learn more about our partnership with Source Defense.

Join our live webinar

Sources