325 Front St W
Toronto, ON M5V 2Y1, Canada
Read our whitepaper to learn:
What is digital skimming
(e-skimming)?
“Skimming malware comes in a variety of flavors that are commonly referred to as skimmers, sniffers, or JavaScript sniffers, all of which are very difficult to detect.”
Who is at risk?
Low Risk
Manufacturing
Energy
Distribution & Transportation
Consulting & Legal Services
Medium Risk
Real Estate
Technology & Cybersecurity
Distribution & Transportation
Education
Entertainment
High Risk
Financial Services & Banking
Insurance
Healthcare & Medical
eCommerce & Retail
Travel & Hospitality
Communication, Social Media &
Content Producers
Cryptocurrency Exchanges
& Blockchain
How do skimming attacks work?
Examples of third-party applications
targeted by attackers include:
- Live chatbots;
- Customer service functions;
- Advertising scripts;
- Marketing forms;
- Marketing tags;
- Open source code libraries; and
- Various other elements loaded by the user’s browser.
During a JavaScript Injection Attack a hacker or malicious user gains website or web application parameters information and can change their values. This allows the threat actor to manipulate the website or application and collect sensitive data, such as PII or payment information.
How do I detect skimming attacks?
Review code and security control configurations to identify potential vulnerabilities and misconfigurations.
Perform security and vulnerability assessments of all scripts and code elements that your websites or web applications load into the browser.
Test web applications for vulnerabilities using assessment tools.
Protect your website by using security control-integrity monitoring, file-integrity monitoring, and change-detection automation systems.
Protect your website by using security control-integrity monitoring, file-integrity monitoring, and change-detection automation systems.
How do I prevent skimming attacks?
Harden and tamper-proof the client-side of your web applications.
Grant data access only to those websites and web applications which absolutely require access to that data.
Carefully restrict access to prevent all unsanctioned scripts and JavaScript libraries from accessing data, to ensure unauthorized access of sensitive data is contained at the browser-level.
Continuously analyze all scripts from the client-side to detect unauthorized activities.
Deploy vulnerability and malware monitoring technologies and processes on the client-side of your web applications.
Implement client-side intrusion prevention policies and procedures to prevent run-time browser-level intrusions in real-time.