E-skimming Attacks and the Reconciliation with Client-side Security
September 19th, 2023 | By | 9 min read
E-skimming attacks are client-side attacks that involve placing code onto a web page to steal sensitive data inputted by users into web forms.
Also referred to as digital skimming, web skimming, data skimming, or Magecart attacks, e-skimming attempts include the theft of many types of information. Most e-skimming attacks today are associated with payment card data.
Organizations and brands with forms on their websites are potential targets of e-skimming attacks, with several concerns that we must address:
These client-side attacks can go undetected for months.
PII, personal data, and payment card information exfiltration are significant threats.
Most e-skimming attacks take several weeks or months to identify.
Organizations that are victims of these digital skimming attacks tend to be blind to assets originating from outside of their security perimeter, including all their client-side web assets, allowing cybercriminals to exploit client-side supply chain attacks.
Client-side security incidents cause significant costs to companies, including regulatory sanctions, legal action, the costs of technical remediation, card scheme penalties, and disruption to their businesses until the incident is resolved and the business is made secure again.
E-skimming attacks, the e-commerce industry, and the overall picture
E-skimming attacks can be highly sophisticated and hard to detect.
E-commerce businesses are often the ones that suffer reputational damage and potential legal liabilities as a result of these attacks.
The shopper types in the cardholder data and presses the submit button. The transaction goes through as usual: the consumer gets their goods or services, and the merchant gets their payment.
The process is transparent to the consumer and the merchant, and the transaction happens regularly. But the data is also exfiltrated to the attacker somewhere on the internet.
How does the attacker get their e-skimming code into the consumer’s page?
Follow the process below:
1. Initial Compromise
Attackers gain initial access to first- or third-party websites through several methods, such as exploiting vulnerabilities in the website's software, deploying malware onto the site, or using stolen (or phished) credentials.
2. E-skimming Code Injection
Malicious e-skimming codes can follow different attack surfaces:
Attackers inject malicious code into the website's payment processing pages, designed to capture customer payment card information, including credit or debit card numbers, CVV2 codes, and other personal details.
Shortly, the first-party attack involves hacking the merchant’s website and adding their skimming code.
3. Data Collection and Exfiltration
Data collection occurs when users enter their card details to complete their purchases on compromised payment pages, including checkout pages. The malicious code covertly skims and collects the information, often encrypting it, before being sent to the attacker’s remote server.
Making money from data is why attackers carry out e-skimming attacks. Attackers will sell this information on the dark web to other cybercriminals or use it themselves to make unauthorized, fraudulent transactions for goods that they can easily convert into cash.
Who is the target, and who is the victim of e-skimming?
Because the skimming code process includes different scenarios, such as:
Exploiting security vulnerabilities in the e-commerce platform;
Gaining access to the victim’s network through a phishing email or brute force of administrative credentials;
Visa's Spring 2023 Biannual Threats Report highlights that digital skimming attacks targeting customer data entered into payment forms on e-commerce checkout pages increased by 174% in the last half of 2022.
What can your business do to protect itself against e-skimming?
To protect your e-commerce business from e-skimming attacks and prevent unauthorized access to user's sensitive data, consider the following security measures:
Regular Security Assessments: Conduct habitual security audits and vulnerability scans to identify and address potential weaknesses in your e-commerce website's code and infrastructure.
Secure Coding Practices: Follow proper coding practices and guidelines to prevent common vulnerabilities that attackers may exploit.
Regular Monitoring: Set up continuous monitoring systems to detect any unusual or unauthorized activities on your website.
Payment Security Standards: The Payment Card Industry Data Security Standard's new version (PCI DSS v4.0) requirements, for instance, help ensure the secure handling of payment card data.
What are the most common signs of e-skimming?
Here are some common signs and alerts online stores should monitor to detect and prevent potential e-skimming incidents:
Detecting skimmer code patterns in website files
Unauthorized changes in payment processing code
Suspicious user behavior during checkout
User complaints. These alerts might be mainly regarding suspicious activities during payment transactions.
Four Predictions by Jscrambler’s security advisor, John Elliott
There will be a disconnect between regulatory opinion and what is practical. Documented risk assessment will be key.
Discover more predictions by John Elliott in his keynote presentation at the 2023 RSA Conference in San Francisco. John is a security advisor at Jscrambler and was one of the contributors to PCI DSS 4.0. His keynote presentation is about “Regulation and Risk When Your Customer’s Browser Leaks Data”.
Jscrambler Webpage Integrity Solution Against e-skimming Attacks
Jscrambler's Webpage Integrity solution identifies all vendors and scripts touching forms and blocks all unauthorized access to sensitive data. Positive outcomes for your business include:
Effective and cost-efficient compliance verification and auditing
Automatically block unauthorized scripts from accessing and transferring data entered into forms.
Get a snapshot of all the scripts on your website, their network requests, and threat insights with our comprehensive website report.
Schedule a meeting with Jscrambler security experts and get your free inventory report.
Must read next
Defcon Skimming: A new batch of Web Skimming attacks
Jscrambler's team explores new findings about a new modus operandi in three threat groups.
December 5, 2022 | By Jscrambler | 11 min read
Preventing Skimming Attacks and Enabling PCI DSS Compliance
E-commerce skimming = the majority of attacks against payment card data. The newest version of PCI DSS contains requirements aimed at preventing attacks.
June 21, 2022 | By John Elliott | 5 min read