As the digital landscape continues to evolve, so too do the threats that target it. One of the most persistent and dangerous cyber threats facing eCommerce businesses today is eSkimming. While traditional skimming—such as stealing card information from gas station pumps or ATMs—has been around for years, eSkimming is its digital counterpart, and it’s becoming increasingly sophisticated.
In this blog post, we’ll explore what eSkimming is, how it has evolved, why it’s so dangerous, and what businesses can do to protect themselves.
What is eSkimming?
At its core, eSkimming is the act of stealing credit card and personal data during online transactions. Hackers inject malicious code into eCommerce websites—often within the payment or checkout page. Once there, this code silently captures customers’ payment details as they enter them, sending the stolen data to remote servers controlled by cybercriminals.
This process typically goes unnoticed by both the merchant and the customer. The purchase appears to go through without a hitch, while the customer’s data is quietly siphoned away for use in fraudulent transactions or resale on the dark web. Scary Right?
The Evolution of eSkimming
Originally, eSkimming attacks were relatively straightforward. Cybercriminals would exploit vulnerabilities in outdated plugins or software on a merchant’s website to insert malicious JavaScript. But as cybersecurity efforts have improved, so have the tactics of attackers.
Here are a few ways eSkimming has evolved:
- Supply Chain Attacks
Hackers have learned that attacking third-party vendors—such as chat support tools, analytics platforms, or payment plugins—is often easier than targeting individual retailers. By compromising a widely used plugin or service, they can impact thousands of websites in one fell swoop. One infamous example was the breach of British Airways in 2018, where Magecart hackers inserted malicious code through a third-party script, affecting over 380,000 customers.
- Advanced Obfuscation
Modern eSkimming code is designed to evade detection. Attackers now obfuscate the code (making it unreadable) or use techniques that load it dynamically so it only appears under specific conditions. Some scripts even delete themselves after execution to reduce the chance of being discovered.
- Targeting Headless and SPA Frameworks
As businesses shift to headless commerce and single-page applications (SPAs) using frameworks like React or Angular, attackers are adapting their techniques. They now exploit weaknesses in API calls and inject code that can skim information even in non-traditional checkout flows.
Why eSkimming is So Dangerous
The danger of eSkimming lies in its stealth and scalability. Unlike ransomware, which loudly locks a system and demands a payment, eSkimming operates quietly and often undetected for months. This means a business can unknowingly expose thousands—or even millions—of customers to identity theft before the problem is caught.
Other reasons it’s particularly dangerous include:
- Reputational Damage: Customers who fall victim to data theft may never return, and news of a breach spreads fast.
- Compliance Violations: eSkimming can expose businesses in violation of PCI DSS (Payment Card Industry Data Security Standard) requirements, leading to even more fines and additional scrutiny. This scrutiny can lead to a cancelled merchant account and make getting a new one very difficult.
- Legal and Financial Consequences: Affected parties(consumers and card issuing banks included) may pursue legal action, and businesses might be held financially responsible for losses resulting from stolen data.
How to Detect eSkimming
Early detection of eSkimming can be challenging, but there are signs and methods that can help:
- Unexplained JavaScript Files: Regularly review your site’s source code for new or unfamiliar scripts, especially on payment pages.
- External Connections: Monitor network traffic to identify unusual connections to third-party servers, which may indicate data exfiltration.
- Website Scanners: Use automated tools that scan for known eSkimming signatures or behavioral anomalies.
- Customer Complaints: A sudden uptick in fraud reports (think chargebacks) following purchases could indicate an active skimming operation.
Best Practices to Prevent eSkimming
Protecting your business from eSkimming requires a layered approach. Here are some of the most effective strategies:
-
Keep All Software Updated
Regularly update your CMS (like WordPress, Magento, or Shopify), themes, plugins, and any other third-party components. Many eSkimming attacks exploit known vulnerabilities in outdated software.
- Use Sub-resource Integrity (SRI)
SRI is a security feature that ensures external scripts haven’t been tampered with. It works by comparing a script’s hash value against the expected hash before execution. If it doesn’t match, the browser blocks it.
- Limit Third-Party Scripts
Only use third-party scripts that are absolutely necessary, and vet the vendors carefully. Even a legitimate plugin can be compromised if its vendor’s site gets hacked.
- Implement a Content Security Policy (CSP)
CSP is a powerful tool that restricts which sources can execute scripts on your site. This can help prevent unauthorized code from running—even if it’s somehow inserted into your site.
- Conduct Regular Security Audits
Routine audits—whether by your internal team or a third-party cybersecurity firm—can help identify potential vulnerabilities before attackers do.
- Utilize Web Application Firewalls (WAF)
A WAF monitors and filters incoming traffic to your website. It can help detect and block malicious payloads before they reach your web server.
- PCI Compliance Isn’t Optional
Being PCI compliant isn’t just about avoiding fines—it’s about safeguarding your customers’ trust. Use secure payment gateways, tokenize payment information, and never store sensitive cardholder data unless absolutely necessary.
The Human Element
While technology plays a big role in protecting against eSkimming, employee awareness is just as critical. Many breaches start with phishing emails or compromised credentials. Make sure your team:
- Knows how to recognize phishing attempts
- Uses strong, unique passwords with multi-factor authentication (MFA)
- Avoids installing unauthorized plugins or software
Cybersecurity is a team sport. Everyone in your organization—from developers to customer service reps—should be part of the defense.
The Future
eSkimming criminals aren’t going away anytime soon. As more commerce shifts online and consumers embrace digital payment methods, attackers will continue to find new ways to exploit vulnerabilities. What makes eSkimming especially tricky is that it evolves faster than many businesses can react.
That’s why proactive prevention and education are key. By understanding how eSkimming works and committing to robust cybersecurity practices, businesses can significantly reduce their risk.
The rise of eSkimming is a wake-up call for any business that accepts online payments. It’s no longer enough to simply launch a website and install a shopping cart. Businesses must take a security-first approach to everything they do online—from choosing vendors to managing code deployments.
At the end of the day, trust is the foundation of eCommerce. If customers can’t trust you to keep their data safe, they’ll find someone else who can.
Now’s the time to ask: Are you doing everything you can to keep the skimmers out?
