Silent Skimming vs Double-Entry Attacks

by Pedro Marrucho and David Alves, with contributions by Tom Vicary

Silent skimming vs Double-entry attacks

Client-side attacks against e-commerce aren’t going away and are evolving. Threat actors are constantly changing their methods, shifting from one exploitation technique to another as they assess what works and what slips past current defenses. Silent skimming and double-entry attacks are two methods that employ distinct approaches to steal payment data.

Silent Skimming Attacks

In a silent skimming attack, the primary goal of the threat actor is to execute the operation entirely under the radar. The code is developed in a way that avoids the disruption of the regular payment flows, with no extra prompts, error messages, or drastic visual changes. That way both the user and merchant will see a successful purchase and because it only asks the user to fill its data once there is no noise so it can go undetected for long periods.

The lack of visible clues for the user and the absence of a sales decline is what makes silent skimming especially effective unless you’re monitoring which scripts are loaded in the browser by the website, tracking changes to script content, or monitoring website communications.

Double-Entry Attacks

In a double-entry attack, attackers employ deception rather than stealth. A fake payment form is injected or overlaid onto the page, tricking users into entering their card details before the real form appears. After submitting the fake form, the user sees an error message or simulated glitch indicating an issue with the transaction and is then shown the legitimate form, prompting them to re-enter their details.

This tactic often gets caught faster than silent skimming because the duplicate entry process raises red flag,s and users may report the unusual behavior.

• Example:

In early 2025, Casio UK was hit by a double-entry skimmer. The attacker hijacked the cart page’s checkout button, displayed a fake multi-step payment pop-up, and stole the card details before redirecting the user to the actual checkout page.

Different Attacks, Same Defenses 

Generic web security controls won’t catch skimming. To deal with real-world skimming attacks, you need defenses that pay attention to what’s happening, what scripts are running, how the DOM changes, and where data is going. These are some of the controls that can be applied:

JavaScript Monitoring at Runtime

• Flag new or modified scripts in production.

• Detect scripts accessing sensitive fields or intercepting form data.

• Catch exfiltration attempts to unfamiliar domains.

 Subresource Integrity (SRI) + CSP

• Use SRI to pin third-party scripts.

• Use CSP to restrict script sources and outbound connections.

• Block inline scripts where feasible.

Form/Iframe Protection

• Detect overlays, duplicate fields, or injected submit listeners.

• Validate front-end consistency against the expected UI.

Script Inventory and Authorization

• Maintain an up-to-date inventory of every script loaded

• Explicitly authorize each script based on its behavior

Silent Skimming vs Double-Entry Attacks: Make Sure You’re the Winner

Silent skimming and double-entry tactics underscore the evolving and pervasive nature of skimming attacks. While their techniques differ – one operating stealthily, the other using deception to harvest data in plain sight – their objective is the same: to compromise sensitive data by exploiting vulnerabilities in the digital payment ecosystem. Their tactics may differ, but so do the measures used to prevent them.

Defending against these cyber threats requires a unified strategy that reinforces user access, data confidentiality, data collection, data transmission, and web code security. And as these attacks continue to evolve, so must your defences.