Summary
Drive-by web skimming is a stealthy cyberattack where malicious code is secretly injected into a website—often through third-party scripts—to steal sensitive user data like payment card details. It matters because businesses often don’t realize they’ve been compromised until customer data has already been stolen, exposing them to regulatory fines and reputational damage.

What Is Drive-by Web Skimming?
Drive-by web skimming is a form of client-side cyberattack where attackers inject malicious JavaScript into websites to covertly capture user input, such as credit card numbers or login credentials. Unlike traditional skimming that requires physical access to point-of-sale systems, drive-by web skimming happens invisibly within the user’s browser session during legitimate interactions with a compromised web page.
How It Works
- Injection Point: Attackers gain access to a website, often via a vulnerable third-party script, tag manager, or misconfigured content delivery network (CDN).
- Malicious Script Deployment: The attacker plants malicious JavaScript code that waits for users to enter data on forms—like checkout pages.
- Data Harvesting: As users fill out the form, the script captures input fields in real time.
- Data Exfiltration: The stolen data is then silently transmitted to an attacker-controlled server—usually in an encrypted or obfuscated format.
This type of attack is typically “drive-by,” meaning users do not need to click or download anything. Simply loading the compromised webpage is enough to trigger the skimming script.
Who’s at Risk
- E-commerce websites
- Healthcare portals collecting patient information
- Financial services platforms
- Any website using third-party scripts (e.g., analytics, chat, A/B testing)
- Developers or IT teams with limited visibility into client-side code execution
Real-World Examples
- British Airways (2018): A Magecart group injected a skimmer into the airline’s payment page, resulting in the theft of 380,000 customer records.
- Ticketmaster (2018): A compromised third-party chatbot script led to a massive breach of user data.
- Boom! Mobile (2022): An attacker exploited a misconfigured AWS bucket to inject skimming code into a checkout page.
How to Detect or Prevent It
- Implement Subresource Integrity (SRI) to ensure external scripts haven’t been tampered with.
- Use Content Security Policy (CSP) headers to restrict which scripts can run.
- Monitor client-side behavior using tools that detect unauthorized DOM manipulations.
- Perform regular script audits and third-party vendor risk assessments.
- Apply real-time threat detection for JavaScript-based skimming attacks.
How Feroot Helps
Feroot’s Client-side Security Platform continuously monitors your website for malicious JavaScript activity, flags suspicious script behavior, and helps you enforce security policies like SRI and CSP. Our solution delivers real-time alerts and automated defenses to prevent drive-by web skimming and ensure your users’ data stays safe.
FAQ
What makes drive-by web skimming different from traditional skimming?
Traditional skimming often targets physical devices like ATMs or POS terminals. Drive-by web skimming occurs entirely in-browser and targets users visiting compromised websites.
How do attackers get access to inject the skimming code?
They often exploit vulnerabilities in third-party scripts, tag managers, or misconfigured cloud storage to gain write access to web assets.
Can a website be compromised without the owner’s knowledge?
Yes. These attacks are stealthy and often go undetected for weeks or months unless active monitoring is in place.
Does PCI DSS address drive-by web skimming?
Yes. PCI DSS v4.0 introduces new requirements like 6.4.3 and 11.6.1 to mitigate client-side risks, including unauthorized script injection.