What is digital skimming and how does it work?

Digital skimming—also known as e-skimming or online card skimming—occurs when cybercriminals steal credit card information or payment card data from visitors to your online store. Attackers use malicious code injections to skim payment data from input fields on existing payment forms or hijack unsuspecting users to fake checkout pages. Once cybercriminals collect the payment data, they are free to go shopping on the user’s dime or resell the card information on the dark web for use in future carding attacks.

In a digital skimming attack, cybercriminals take advantage of security weaknesses in third-party JavaScript and open source libraries. Digital skimmers inject a piece of malicious code—known as a skimmer—into the third-party scripts on your website that skims credit card or other payment data when it is entered into payment forms.

Digital skimmers often use known vulnerabilities in third-party JavaScript as an opening to gain access to websites and mobile applications. They may also take advantage of misconfigured permissions on Amazon S3 buckets and GitHub repositories or induce insiders to give them access to website source code. Because the main threat comes from the third-, or nth-party scripts and open source libraries, digital skimming is considered a type of website supply chain attack.

To evade detection, digital skimmers use obfuscation techniques to hide the skimmer code and geofence their target website to a country or region. The injected code waits for users to fill out forms with their credit card numbers or other customer data. The information is transmitted directly from the user’s browser/device to a site controlled by the attacker.

Website operators often lack visibility into what happens inside their users’ browsers when their client-side code is changed. And because skimmers usually do not change the functionality of the site, users frequently remain unaware that their data is being stolen. It is common for digital skimming attacks to go undetected for quite some time.

Magecart is a style of digital skimming attack that centers on e-commerce. The name “Magecart” originally referred to hacker groups that targeted e-commerce sites on the Magento platform, though Magecart attacks have spread far beyond Magento since then. Magecart hackers inject a skimmer into checkout pages or modify paths to checkout pages to skim sensitive information.

Perhaps the most notable Magecart attack victim was British Airways. Attackers modified existing JavaScript to skim customer payment information, unbeknownst to the users or British Airways. When the attack was discovered, it resulted in a £183m GDPR fine, which was reduced to £20m.

Digital skimming can severely damage reputation and consumer trust. Users often stop engaging with a business that exposes their sensitive data to bad actors, and prospective consumers may see bad press and choose to shop elsewhere. In fact, 56% of consumers say they won’t shop on a site that compromised their data. Reputation damage can negatively impact revenue, stock value, and growth.

Furthermore, digital skimming can open your business to regulatory fines. Many countries and states have passed data privacy legislation — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — which impose fines on businesses that fail to protect user data.

Traditional ecommerce security tactics like web application firewalls (WAFs) are not enough to protect the client-side against digital skimming attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of skimmer code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration/continuous deployment cycles.

Content security policies (CSP) are also the first resort for many web application security professionals. CSPs were originally used for protection against cross-site scripting and alone don’t provide any protection against the use of a compromised trusted domain to inject a skimmer on the website. Furthermore, CSPs are difficult to manage because they require a lot of tuning.

Continuous monitoring, combined with CSP and Client Side Mitigation (CSM) granular JavaScript blocking, is a more modern client-side application security solution. This automatically identifies vulnerable code and anomalous behavior, and applies across-the-board access controls or granular rules to prevent data exposure and exfiltration.

HUMAN Client-Side Defense stops client-side data breaches on your website using advanced behavioral analysis, CSM, and CSP. It provides you full visibility and control over scripts running on the client-side and identifies any suspicious changes, preventing compromised JavaScript from skimming your users’ data. Every user’s execution of every script is monitored to detect and stop digital skimming and other data exfiltration attempts.

By leveraging real-time, behavior-based analysis and machine learning models, Client-Side Defense provides full visibility and control over first-, third- and nth-party scripts running on the client-side. The solution detects and mitigates unauthorized PII access, data exfiltration events, and known script vulnerabilities to prevent digital skimming.

What is magecart? | Attack types & prevention

Supply chain attacks | What they are & how to prevent them

What is formjacking and how to prevent it

What is personally identifiable information (PII) harvesting?

What is PCI DSS compliance? | Requirements & how to comply