What is E-skimming?
E-skimming is a type of attack involving the introduction of code onto a web page for the purpose of intercepting sensitive user information as the individual is entering the data into a web form. The type of information stolen in e-skimming attacks includes credit card data, social security numbers, bank account data, and other personally identifiable information (PII). The victims have no way of knowing that their information is being stolen, until that information is used by the hacker, for example, in an unauthorized online purchase.
E-skimming is also sometimes referred to digital skimming, data skimming or a Magecart attack.
How does e-skimming work?
Criminals introduce e-skimming code onto webpages by:
- Exploiting a known vulnerability on the website’s e-commerce platform.
- Exploiting a flaw present on a company’s payment card processing page.
The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user types into the form fields. The stolen sensitive information is collected by the criminal and then sold on the dark web or used by the criminal to make fraudulent purchases.
Who is the target of e-skimming?
Businesses—Any organization that maintains a website that collects payment information and other types of sensitive user data is at risk of an e-skimming attack. Industries targeted include retail, entertainment, travel, utility companies, and third-party vendors (such as those working in online advertising or web analytics). The cyber criminals may also target user and administrative credentials in addition to financial or credit card information.
Consumers—Consumer PII, credit card, and financial data is the primary target of e-skimming. Every year millions of individuals become victims of e-skimming attacks.
What is the impact of an e-skimming attack?
Loss of Sensitive Customer Information—E-skimming attacks can involve the theft of multiple types of customer information, including credit card data and PII.
Profit loss—Previous e-skimming attacks have demonstrated that business profits will be impacted negatively due to reputation damage and loss of customer trust.
Regulatory and Compliance Issues—Government and industry regulations, such as the Payment Card Industry Data Security Standards (PCI DSS) and the General Data Protection Regulations (GDPR) can subject businesses to lawsuits and fines should business customers be affected by an e-skimming attack.
What can businesses do to protect against e-skimming?
Businesses can reduce the number and impact of e-skimming attacks by following these best practices:
Audit web assets: Inventory your web assets and know the type of data they hold.
Regularly scan the client side: Regularly conduct deep-dive scans into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.
Deploy and maintain Content Security Policies: Generate tailored Content Security Policies and deploy them on your web applications. Then utilize purpose built technologies to easily monitor, manage, control versions, and continuously enhance your policies.
Use secure software development practices: Apply software development best practices that aid in the detection and elimination of errors early in the application development process.
Move security to the left: Ensure security is part of the entire software development process—from beginning to end—and just doesn’t happen after a web application is built or installed on a system.