What is E-Skimming? Detecting and Defending Against Digital Fraud

Skimming goes digital

While attacks targeting ATMs have been around for virtually as long as the ATMs themselves, security awareness and the capabilities of technology have led to an evolution of these attacks from being predominantly physical to increasingly digital in nature. The COVID pandemic—coupled with a steady shift from in-store and card present (CP) transactions, to online and card-not-present (CNP) transactions—has also required cybercriminals to change their tactics. 

Financial institutions, retailers, and ATM manufacturers have found ways to protect their assets against traditional physical attacks. While threat actors are still interested in stealthy skimmers and shimmers—small, physical devices that threat actors insert onto and into ATM card slots to swipe payment card data and PIN codes—many are moving away from cash transactions and onto e-skimming. 

What is e-skimming?

Also known as digital skimming, web skimming, online skimming, formjacking malware, or a magecart attack, e-skimming is a major cybersecurity concern for financial institutions and their vendors, including retailers, plus any other company that processes payment information on their behalf, such as an entertainment or travel company. 

E-skimmers drive customers to a domain controlled by a fraudster that looks and feels like a legitimate checkout page, and then utilize e-skimming to steal data during a purchase. The impact of an e-skimming attack includes the breach of sensitive customer information, loss of profits due to a drop in customer trust, and issues with regulator and privacy compliance that may affect your organization’s ability to do business.

A digital version of shimmers and skimmers, e-skimmers are lines of malicious code that a threat actor injects into a website, which steals data from HTML fields, including credit card data and other credentials. 

How e-skimming code is introduced

Malicious e-skimming code can be introduced in several ways:

• Through the exploitation of a vulnerability in an ecommerce website’s payment platform

• By using phishing emails to enter a victim’s network or a brute force attack of administrative credentials 

• Attacking a third-party or supply chain entity and hiding skimming code in the JavaScript that is loaded by the third-party onto the victim’s site 

• Cross-site scripting to discreetly redirect victims to a malicious domain that can capture their PII during payment processing

Recommended reading: ‘Inside Magecart’ Exposes the Operation Behind the Web’s Biggest E-Commerce Scourge

Creating a plan of action in the event of an e-skimming attack

Where there is payment information, there is the potential for an e-skimming attack, and threat actors are always on the lookout for organizations with vulnerabilities that they can target. 

E-Skimming Detection

There are several warning signs that your company may be getting attacked that your security team should look for, including:

• Multiple customer complaints of fraudulent activity that is being traced back to purchases from your site

• Edits to your JavaScript code that may indicate an unauthorized party has been tampering with it

• Identification of a new domain that is not registered by your organization, which signals that customers are potentially being redirected to a malicious site

E-Skimming Response

If your organization falls victim to an e-skimming attack, it is important to have a plan in place that lets your security teams take action swiftly and stop it from furthering its damage. 

• Identify the source of the skimming code and use this information to determine its access point (third-party, network, etc.)

• Save a copy of the malicious code or domain to give to law enforcement

• Change credentials that may have been stolen and exploited during the attack

• Report the attack to law enforcement and the IC3 for documentation 

Minimizing your risk

There are steps your organization can take to prevent e-skimming attacks and protect customers from their impact. The following best practices should be put in place to keep your data and infrastructure secure.

• Regularly update payment software and promptly install patches from payment vendors that address potential security vulnerabilities

• Implement code integrity checks that alert you if system files have signs of corruption or malware

• Use and update antivirus software 

• Continuously monitor and confirm that you are Payment Card Industry Data Security Standard (PCI DSS) compliant

• Prioritize a strong threat intelligence program that alerts you if your organization is mentioned within illicit communities

Protect your organization and customers from digital fraud 

Flashpoint’s Card Fraud solutions equip security teams with the tools, dashboards, alerts, and actionable intelligence they need to proactively identify threats, prevent card fraud, and take action to combat exposure to risk. Sign up for a free trial today.