Blog

What is E-Skimming? Detecting and Defending Against Digital Fraud

Default Author Image
Veronica Drake
July 18, 2022
Table Of Contents
Table of Contents
What is E-Skimming?
How Does the E-Skimming Process Work on a Retail Website?
Creating a Response Plan in the Event of an E-Skimming Attack
Minimizing Your Risk
Protect Your Organization and Customers from Digital Fraud 
Frequently Asked Questions (FAQs)
More
subscribe to our newsletter

What is E-Skimming?

Also known as digital skimming, web skimming, online skimming, formjacking malware, or a magecart attack, e-skimming is a major cybersecurity concern for financial institutions and their vendors, including retailers, plus any other company that processes payment information on their behalf, such as an entertainment or travel company. 

E-skimmers drive customers to a domain controlled by a fraudster that looks and feels like a legitimate checkout page, and then utilize e-skimming to steal data during a purchase. The impact of an e-skimming attack includes the breach of sensitive customer information, loss of profits due to a drop in customer trust, and issues with regulator and privacy compliance that may affect your organization’s ability to do business.

A digital version of shimmers and skimmers, e-skimmers are lines of malicious code that a threat actor injects into a website, which steals data from HTML fields, including credit card data and other credentials. 

How Does the E-Skimming Process Work on a Retail Website?

While attacks targeting ATMs have been around for virtually as long as the ATMs themselves, security awareness and the capabilities of technology have led to an evolution of these attacks from being predominantly physical to increasingly digital in nature. The COVID pandemic—coupled with a steady shift from in-store and card present (CP) transactions, to online and card-not-present (CNP) transactions—has also required cybercriminals to change their tactics. 

Financial institutions, retailers, and ATM manufacturers have found ways to protect their assets against traditional physical attacks. While threat actors are still interested in stealthy skimmers and shimmers—small, physical devices that threat actors insert onto and into ATM card slots to swipe payment card data and PIN codes—many are moving away from cash transactions and onto e-skimming. 

How E-Skimming Code is Introduced

Malicious e-skimming code can be introduced in several ways:

  • Through the exploitation of a vulnerability in an ecommerce website’s payment platform
  • By using phishing emails to enter a victim’s network or a brute force attack of administrative credentials 
  • Attacking a third-party or supply chain entity and hiding skimming code in the JavaScript that is loaded by the third-party onto the victim’s site 
  • Cross-site scripting to discreetly redirect victims to a malicious domain that can capture their PII during payment processing

Recommended reading: ‘Inside Magecart’ Exposes the Operation Behind the Web’s Biggest E-Commerce Scourge

Creating a Response Plan in the Event of an E-Skimming Attack

Where there is payment information, there is the potential for an e-skimming attack, and threat actors are always on the lookout for organizations with vulnerabilities that they can target. 

E-Skimming Detection

There are several warning signs that your company may be getting attacked that your security team should look for, including:

  • Multiple customer complaints of fraudulent activity that is being traced back to purchases from your site
  • Edits to your JavaScript code that may indicate an unauthorized party has been tampering with it
  • Identification of a new domain that is not registered by your organization, which signals that customers are potentially being redirected to a malicious site

E-Skimming Response

If your organization falls victim to an e-skimming attack, it is important to have a plan in place that lets your security teams take action swiftly and stop it from furthering its damage. 

  • Identify the source of the skimming code and use this information to determine its access point (third-party, network, etc.)
  • Save a copy of the malicious code or domain to give to law enforcement
  • Change credentials that may have been stolen and exploited during the attack
  • Report the attack to law enforcement and the IC3 for documentation 

Minimizing Your Risk

There are steps your organization can take to prevent e-skimming attacks and protect customers from their impact. The following best practices should be put in place to keep your data and infrastructure secure.

  • Regularly update payment software and promptly install patches from payment vendors that address potential security vulnerabilities
  • Implement code integrity checks that alert you if system files have signs of corruption or malware
  • Use and update antivirus software 
  • Continuously monitor and confirm that you are Payment Card Industry Data Security Standard (PCI DSS) compliant
  • Prioritize a strong threat intelligence program that alerts you if your organization is mentioned within illicit communities

Protect Your Organization and Customers from Digital Fraud 

Flashpoint’s Card Fraud solutions equip security teams with the tools, dashboards, alerts, and actionable intelligence they need to proactively identify threats, prevent card fraud, and take action to combat exposure to risk. Sign up for a free trial today. 

Frequently Asked Questions (FAQs)

What is e-skimming and how does Flashpoint Ignite help detect it?

E-skimming is a digital attack within Flashpoint Ignite’s monitoring scope where malicious code is used to steal payment data from e-commerce sites. Flashpoint Ignite helps detect it by monitoring illicit “card shops” on the dark web for your organization’s specific data. When stolen cards from your site are listed for sale, Flashpoint provides an early warning, allowing your security team to identify and remove the malicious script before more customers are affected.

Flashpoint CapabilityRetail Security Benefit
Card Fraud MonitoringAlerts you when cards from your domain appear on dark web marketplaces.
Magecart IntelligenceTracks the specific TTPs and infrastructure used by digital skimming groups.
Vulnerability AlertsNotifies you of flaws in e-commerce platforms that e-skimmers commonly target.

How does Flashpoint help prevent Magecart supply chain attacks?

Flashpoint helps prevent Magecart supply chain attacks by providing visibility into the vulnerabilities of third-party plugins and libraries. Since e-skimmers often target the vendors you use for analytics or ads, Flashpoint’s VulnDB identifies risks in your supply chain that traditional scanners might miss. By monitoring threat actor forums, Flashpoint also reveals which third-party tools are currently being targeted for injection by Magecart affiliates.

  • Third-Party Risk: Identifies exploited flaws in the scripts your website loads from other vendors.
  • Actor Monitoring: Tracks the conversations of criminal groups planning new skimming campaigns.
  • IOC Delivery: Provides malicious IP addresses and domains used to host e-skimming scripts.

Why is Flashpoint’s Fraud Intelligence vital for e-commerce protection?

Flashpoint’s Fraud Intelligence is vital for e-commerce protection because it bridges the gap between a technical breach and the sale of stolen data. Traditional security tools might miss a small piece of malicious code, but Flashpoint sees the result of that code on the dark web. By identifying “dumps” of stolen payment info, Flashpoint allows retailers to perform a “Common Point of Purchase” (CPP) analysis to prove a breach occurred and stop the financial bleed immediately.

Detection MethodSecurity Outcome
Code ReviewFinds the malicious script hidden on your checkout page.
Dark Web MonitoringConfirms that your customer data is being sold in illicit markets.
Threat IntelligenceUnderstands the motives and methods of the specific group attacking you.

Request a demo today.

Request a Demo

Contact Sales