Web Security

E-skimming Attacks and the Reconciliation with Client-side Security

September 19th, 2023 | By | 9 min read

E-skimming attacks are client-side attacks that involve placing code onto a web page to steal sensitive data inputted by users into web forms.

Also referred to as digital skimming, web skimming, data skimming, or Magecart attacks, e-skimming attempts include the theft of many types of information. Most e-skimming attacks today are associated with payment card data.

Organizations and brands with forms on their websites are potential targets of e-skimming attacks, with several concerns that we must address:

  1. These client-side attacks can go undetected for months.

  2. PII, personal data, and payment card information exfiltration are significant threats.

Most e-skimming attacks take several weeks or months to identify.

Organizations that are victims of these digital skimming attacks tend to be blind to assets originating from outside of their security perimeter, including all their client-side web assets, allowing cybercriminals to exploit client-side supply chain attacks.

Client-side security incidents cause significant costs to companies, including regulatory sanctions, legal action, the costs of technical remediation, card scheme penalties, and disruption to their businesses until the incident is resolved and the business is made secure again.

E-skimming attacks, the e-commerce industry, and the overall picture

E-skimming attacks can be highly sophisticated and hard to detect.

E-commerce businesses are often the ones that suffer reputational damage and potential legal liabilities as a result of these attacks.

Generally, the attacker must get some criminal JavaScript onto the consumer’s browser. When the payment form is displayed, the attacker has already compromised it. The criminal’s Javascript can skim all the form fields.

The shopper types in the cardholder data and presses the submit button. The transaction goes through as usual: the consumer gets their goods or services, and the merchant gets their payment.

The process is transparent to the consumer and the merchant, and the transaction happens regularly. But the data is also exfiltrated to the attacker somewhere on the internet.

How does the attacker get their e-skimming code into the consumer’s page?

Follow the process below:

1. Initial Compromise

Attackers gain initial access to first- or third-party websites through several methods, such as exploiting vulnerabilities in the website's software, deploying malware onto the site, or using stolen (or phished) credentials.

2. E-skimming Code Injection

Malicious e-skimming codes can follow different attack surfaces:

  • First-party.

Attackers inject malicious code into the website's payment processing pages, designed to capture customer payment card information, including credit or debit card numbers, CVV2 codes, and other personal details.

Shortly, the first-party attack involves hacking the merchant’s website and adding their skimming code.

  • Third-party.

The attackers target a different entity that provides JavaScript to the merchant's web pages.

These JavaScript supply chain attacks are on the rise because security teams cannot keep track of all the third-party scripts included in their websites. Attackers exploit this lack of visibility to introduce malicious code into the supply chain that their web page relies on.

In other words, the skimming code is inserted in third-party JavaScript and loaded from the third-party provider into the consumer's browser.

3. Data Collection and Exfiltration

Data collection occurs when users enter their card details to complete their purchases on compromised payment pages, including checkout pages. The malicious code covertly skims and collects the information, often encrypting it, before being sent to the attacker’s remote server.

4. Monetization

Making money from data is why attackers carry out e-skimming attacks. Attackers will sell this information on the dark web to other cybercriminals or use it themselves to make unauthorized, fraudulent transactions for goods that they can easily convert into cash.

Who is the target, and who is the victim of e-skimming?

The target of e-skimming is the merchant or a third-party JavaScript provider. The victim of e-skimming is the online shopper. Why?

Because the skimming code process includes different scenarios, such as:

  • Exploiting security vulnerabilities in the e-commerce platform;  

  • Gaining access to the victim’s network through a phishing email or brute force of administrative credentials;

  • Compromising third-party entities and supply chains, which may happen through hidden skimming code in JavaScript. The third-party service loads the skimming code onto the victim's website.

Visa's Spring 2023 Biannual Threats Report highlights that digital skimming attacks targeting customer data entered into payment forms on e-commerce checkout pages increased by 174% in the last half of 2022.

What can your business do to protect itself against e-skimming?

To protect your e-commerce business from e-skimming attacks and prevent unauthorized access to user's sensitive data, consider the following security measures:

  • Regular Security Assessments: Conduct habitual security audits and vulnerability scans to identify and address potential weaknesses in your e-commerce website's code and infrastructure.

  • Secure Coding Practices: Follow proper coding practices and guidelines to prevent common vulnerabilities that attackers may exploit.

  • Regular Monitoring: Set up continuous monitoring systems to detect any unusual or unauthorized activities on your website.

  • Payment Security Standards: The Payment Card Industry Data Security Standard's new version (PCI DSS v4.0) requirements, for instance, help ensure the secure handling of payment card data. 

  • Third-Party Risk Management: Vet and monitor the security practices of third-parties, vendors, scripts, and partners interacting with your website. Be selective about which third-party providers you authorize to provide JavaScript that runs on your web pages, especially where sensitive data is collected.

What are the most common signs of e-skimming?

Here are some common signs and alerts online stores should monitor to detect and prevent potential e-skimming incidents:

  • Changes in JavaScript code and files

  • Detecting skimmer code patterns in website files 

  • Unauthorized changes in payment processing code

  • Suspicious user behavior during checkout

  • User complaints. These alerts might be mainly regarding suspicious activities during payment transactions.

Four Predictions by Jscrambler’s security advisor, John Elliott

Prediction 1

Hostile threat actors will use JavaScript skimming techniques to exfiltrate more than just cardholder data. 

Prediction 2

Managing the risk associated with JavaScript that executes in your customers’ browsers will become a regulatory requirement. Soon it will become what regulators consider an “appropriate” or “reasonable” thing to do.

Prediction 3

Managing JavaScript will be painful for many organizations.

Prediction 4

There will be a disconnect between regulatory opinion and what is practical. Documented risk assessment will be key.

Discover more predictions by John Elliott in his keynote presentation at the RSA Conference in San Francisco. John is a security advisor at Jscrambler and was one of the contributors to PCI DSS 4.0. His keynote presentation is about “Regulation and Risk When Your Customer’s Browser Leaks Data”.

Jscrambler Webpage Integrity Solution Against e-skimming Attacks

Jscrambler's Webpage Integrity solution identifies all vendors and scripts touching forms and blocks all unauthorized access to sensitive data. Positive outcomes for your business include:

  • Minimize exposure to external JavaScript code.

  • Effective and cost-efficient compliance verification and auditing

  • Automatically block unauthorized scripts from accessing and transferring data entered into forms.

Get a snapshot of all the scripts on your website, their network requests, and threat insights with our comprehensive website report.

Schedule a meeting with Jscrambler security experts and get your free inventory report.


The leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.

View All Articles

Must read next


Defcon Skimming: A new batch of Web Skimming attacks

Jscrambler's team explores new findings about a new modus operandi in three threat groups.

December 5, 2022 | By Jscrambler | 11 min read

PCI DSS Web Security

Preventing Skimming Attacks and Enabling PCI DSS Compliance

E-commerce skimming = the majority of attacks against payment card data. The newest version of PCI DSS contains requirements aimed at preventing attacks.

June 21, 2022 | By John Elliott | 5 min read

Section Divider

Subscribe to Our Newsletter