Attacks and Threats

What is Payment Skimming?

Payment skimming or e-skimming is a digital attack method used by financially motivated threat actors to capture payment information and personally identifiable information (PII) from credit card holders. Hackers use a variety of malicious tools to take advantage of website or web application vulnerabilities to collect information for financial gain.

What is payment skimming?

Payment skimming is also called e-skimming, digital skimming, or Magecart attacks.

What are some other names for payment skimming?

Payment skimming is also known as e-skimming, payment card skimming, digital skimming, formjacking, or Magecart attacks.

How does payment card skimming work?

Payment skimming begins with the introduction of malicious code or malware onto a web page used to collect payment information. Threat actors design the malicious code purposely to intercept payment card and other sensitive information as the user enters the data into the online form.

Malicious code can be inserted into the web page or web application several ways:

  • Threat actors exploit a known vulnerability on the website’s e-commerce platform.
  • Threat actors exploit a flaw in the JavaScript code present on the payment card processing page.
  • Malicious code is pulled from a third- or fourth-party library (usually JavaScript) and then installed on the site.

The user’s browser then executes the skimming function, allowing it to steal sensitive information by recording the keystrokes the user types into the form fields. A command and control server receives the exfiltrated data, which is then typically sold on the dark web. 

How easy is it for criminals to introduce payment skimming malware onto webpages?

Because e-commerce websites are made up of hundreds of thousands and sometimes millions of lines of code, it is fairly easy for criminals to hide malicious scripts. Many websites sites also employ plug-ins, extensions, widgets, and other pieces of software to enhance the user experience. This software is often written in JavaScript, which is not designed with security in mind, making it easy to infiltrate the plug-in, extension, or widget and inject malicious skimming code.

What types of data are stolen in payment skimming attacks?

The type of data stolen by threat actors in payment skimming attacks include any information entered into the form—most commonly credit card information or bank account data. However, threat actors will also steal personally identifiable information (PII), such as addresses and social security numbers if available. 

How can victims tell if their credit card information is being stolen?

Victims of payment card skimming attacks have no way of knowing that threat actors have infiltrated the web page and are stealing their credit card or banking information, until that information is used by the hacker, for example, in an unauthorized online purchase.

Who is the target of payment skimming?

Organizations—Payment skimming isn’t limited to retail and e-commerce. Any organization that maintains a website that collects payment information and other types of sensitive user data is at risk of an e-skimming attack. This includes healthcare sites that accept payment for services, hotels, airlines, entertainment, utility companies, and financial institutions, and third-party vendors (such as those working in online advertising or web analytics). 

Consumers—Consumer PII, credit card, and financial data is the primary target of e-skimming. Every year millions of individuals become victims of e-skimming attacks. 

What is the impact of a payment skimming attack?

Data Breaches and Loss of Sensitive Customer Information—Payment skimming attacks involve the theft of multiple types of information, including credit card data and PII. 

Profit loss—Business profits are often negatively impacted due to reputation damage and loss of customer trust.

Regulatory and Compliance Issues—Government and industry regulations, such as the General Data Protection Regulations (GDPR) or Payment Card Industry Data Security Standards (PCI DSS) may institute fines or legal challenges should an organization be affected by an e-skimming attack.

What can businesses do to protect against skimming?

Businesses can improve payment skimming cybersecurity and reduce the number and impact of e-skimming attacks by following these best practices:

Audit web assets: Inventory and track your web assets. Know what data is contained in them and who has access. 

Use client-side attack surface management: Regularly conduct deep-dive scans into client-side applications using automated tools with synthetic users, to reveal intrusions, behavioral anomalies, and unknown threats.

Use an advanced, automated Content Security Policy tool: An automated CSP can help businesses control their client-side attack surface by deploying and managing Content Security Policies on their web applications. Advanced automated CSP tools identify all your first- and third-party scripts, your digital assets, and the data they can access. The tool then generates appropriate Content Security Policies based on scanned data and anticipated effectiveness. Businesses can fine tune their CSPs at the domain level for easy management, version control, and reporting.

Maintain safe JavaScript libraries: Confirm the security of any JavaScript libraries by making sure they’re not on any blocklists. Regularly patch and update your libraries and avoid any dependence on third-party library sources.

Be selective with third- and fourth-party scripts: Third- and fourth-party scripts can contain vulnerabilities or intentional malicious content. Be sure to work with only known and reputable sources for third- and fourth-party code.

Use secure software development practices: Apply software development best practices that aid in the detection and elimination of errors early in the application development process.

Learn more about skimming attacks

You can read more about skimming and client-side security in our new e-book The Ultimate Guide to Client-Side Security.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.