Ensuring compliance with PCI DSS 6.4.3 and 11.6.1 - Learn more

Web Skimming Attacks: Understanding and Preventing E-Skimming Threats

Learn about web skimming (e-skimming) attacks, how they work, and effective prevention strategies. Discover how to protect your e-commerce site from Magecart-style attacks and safeguard customer payment information.

Web Skimming Attacks: The Hidden Threat to Online Security

Web skimming has emerged as one of the most concerning cybersecurity threats in recent years, particularly for businesses conducting online transactions. This sophisticated attack method silently steals sensitive customer information without either the user or website owner noticing. Before you make your next online purchase, understanding this threat could help protect your personal information.

What Is Web Skimming?

Web skimming, also known as e-skimming, formjacking, or Magecart attacks, is a type of cybercrime that involves injecting malicious code into legitimate websites to steal sensitive information entered by users. The primary targets are typically e-commerce platforms where payment information is processed.

The term “Magecart” originated as a combination of “Magento” (a popular e-commerce platform) and “shopping cart,” reflecting its initial targeting of Magento-based websites. Though it began by targeting specific platforms, the term has now evolved to describe the broader attack method regardless of the targeted system.

Unlike many other cyberattacks that operate on the server side, web skimming is a client-side attack, meaning the malicious code executes in the user’s browser rather than on the website’s server. This characteristic makes it particularly difficult to detect using traditional security measures.

Key Characteristics of Web Skimming

Web skimming attacks have several distinctive features that set them apart from other cyberattacks:

  • The malicious code runs on the client side (user’s browser)
  • The attack targets form fields where sensitive data is entered
  • It operates stealthily without altering the website’s appearance or functionality
  • The attack often remains undetected for extended periods

How Web Skimming Attacks Work

Understanding the mechanics of web skimming can help website owners and users recognize potential vulnerabilities. These attacks typically follow a specific pattern.

Step 1: Gaining Access

Attackers first identify vulnerable websites, particularly those processing financial transactions. They gain access through various methods:

  • Exploiting vulnerabilities in content management systems or e-commerce platforms
  • Compromising third-party scripts and services integrated into the website
  • Using stolen credentials, often from developers who accidentally expose them in code repositories
  • Leveraging supply chain attacks by compromising trusted third-party vendors

Step 2: Injecting Malicious Code

Once they’ve gained access, attackers inject malicious JavaScript code into the website. This code is typically:

  • Highly obfuscated to avoid detection
  • Designed to blend seamlessly with legitimate website code
  • Strategically placed on payment pages or checkout forms
  • Set up to activate only when users reach payment screens

Step 3: Capturing Sensitive Information

The injected code silently monitors user input on the affected website, specifically targeting:

  • Credit card numbers, expiration dates, and security codes
  • Names, addresses, and phone numbers
  • Login credentials
  • Social security numbers and other personal identifiable information

Step 4: Data Exfiltration

Finally, the stolen information is transmitted to servers controlled by the attackers, usually through disguised methods such as embedding the data in URL parameters or image requests. From there, criminals can use the information for fraudulent purchases or sell it on the dark web.

Notable Web Skimming Attacks

Several high-profile web skimming attacks have made headlines in recent years, demonstrating the significant threat these attacks pose to businesses and consumers alike.

British Airways (2018)

In one of the most notorious Magecart attacks, hackers compromised the British Airways website and mobile app, stealing payment details from approximately 380,000 customers. The attack resulted in a £20 million fine from the UK Information Commissioner’s Office (ICO) and significant reputational damage.

Ticketmaster (2018)

Ticketmaster fell victim to a supply chain attack when a third-party customer support product they used was compromised. The attack affected approximately 40,000 customers who had their payment information stolen, highlighting the risks of third-party integrations.

Other Major Incidents

Other significant victims of web skimming attacks include:

  • Newegg, a major electronics retailer
  • Macy’s department store
  • InfoWars website
  • Numerous smaller e-commerce businesses affected through compromised third-party services

Prevention and Protection Measures

While completely preventing web skimming attacks is challenging, several approaches can significantly reduce the risk.

For Website Owners

Website owners and operators can take these protective measures:

  1. Keep all software up to date: Regularly update your content management system, plugins, and third-party software to patch known vulnerabilities.
  2. Implement Content Security Policy (CSP): This security feature allows you to specify which sources of content are authorized to execute on your website, helping prevent unauthorized script execution.
  3. Use Subresource Integrity (SRI): This mechanism verifies that resources delivered by third-party servers have not been tampered with by including cryptographic hashes in script tags.
  4. Deploy Web Application Firewalls (WAFs): These can help detect and block suspicious traffic and behavior.
  5. Monitor website regularly: Implement continuous monitoring for unauthorized changes to your website’s code or unusual traffic patterns. PylonSec offers comprehensive solutions to help you with this - Contact us to see how we can help you.
  6. Minimize third-party dependencies: Reduce reliance on external scripts, especially on critical pages like checkout forms.
  7. Implement strict access controls: Limit administrative access and use multi-factor authentication for all privileged accounts.
  8. Regular security audits: Conduct periodic security assessments to identify and address vulnerabilities.

For Consumers

Consumers can also take steps to protect themselves:

  1. Use secure payment methods: Prefer credit cards with strong fraud protection policies for online purchases
  2. Monitor financial statements: Regularly check your bank and credit card statements for unauthorized transactions
  3. Consider virtual credit cards: Use virtual credit cards with spending limits for online shopping
  4. Keep software updated: Ensure your browser and security software are always up to date
  5. Verify website security: Look for HTTPS and valid SSL certificates before entering payment information
  6. Use password managers: Generate and store unique, strong passwords for each online account

Conclusion

Web skimming represents a significant and evolving threat in today’s digital landscape, particularly as online shopping continues to grow. The stealthy nature of these attacks makes them particularly dangerous, as they can operate undetected for months while harvesting sensitive customer information.

For businesses, implementing robust security measures and maintaining vigilance through regular monitoring is essential. For consumers, awareness of the threat and cautious online shopping habits can help reduce the risk of becoming a victim. As web skimming techniques continue to evolve, staying informed about the latest security practices remains the best defense.

Remember: Security is a shared responsibility between website owners and users. By working together and implementing these protective measures, we can significantly reduce the risk of falling victim to web skimming attacks.