Web Skimmer / E-Skimming
What is Web Skimmer / E-Skimming?
Web Skimmer / E-SkimmingMalicious code injected into a website that steals payment-card or personal data as customers type it into the page.
A web skimmer (also called an e-skimmer or digital skimmer) is the JavaScript or server-side code that performs the theft in Magecart-style attacks. It lives in the checkout flow of an online store and reads card numbers, CVVs, expiry dates, and personal data directly from the DOM or network requests, then exfiltrates them to a drop server. Skimmers can be added by exploiting CMS vulnerabilities, compromising third-party scripts, hijacking unmaintained S3 buckets, or hijacking admin credentials. Some hide in fake favicons or steganographic images. Defences include Content Security Policy with reporting, Subresource Integrity, client-side script-integrity monitoring required by PCI DSS v4.0, and tight permissions on script tags and tag managers.
● Examples
- 01
An obfuscated script appended to a Magento template harvests CVVs and ships them to a typosquatted CDN domain.
- 02
A skimmer hidden inside a fake favicon image fired only on the checkout page of a Shopify store.
● Frequently asked questions
What is Web Skimmer / E-Skimming?
Malicious code injected into a website that steals payment-card or personal data as customers type it into the page. It belongs to the Attacks & Threats category of cybersecurity.
What does Web Skimmer / E-Skimming mean?
Malicious code injected into a website that steals payment-card or personal data as customers type it into the page.
How does Web Skimmer / E-Skimming work?
A web skimmer (also called an e-skimmer or digital skimmer) is the JavaScript or server-side code that performs the theft in Magecart-style attacks. It lives in the checkout flow of an online store and reads card numbers, CVVs, expiry dates, and personal data directly from the DOM or network requests, then exfiltrates them to a drop server. Skimmers can be added by exploiting CMS vulnerabilities, compromising third-party scripts, hijacking unmaintained S3 buckets, or hijacking admin credentials. Some hide in fake favicons or steganographic images. Defences include Content Security Policy with reporting, Subresource Integrity, client-side script-integrity monitoring required by PCI DSS v4.0, and tight permissions on script tags and tag managers.
How do you defend against Web Skimmer / E-Skimming?
Defences for Web Skimmer / E-Skimming typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Web Skimmer / E-Skimming?
Common alternative names include: E-skimmer, Digital skimmer, JS sniffer.
● Related terms
- attacks№ 642
Magecart Attack
A category of digital-skimming attacks in which criminals inject malicious JavaScript into e-commerce checkout pages to steal payment-card data as customers enter it.
- attacks№ 431
Formjacking
An attack in which malicious JavaScript intercepts form submissions in a victim's browser and sends the entered data to a server controlled by the attacker.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- identity-access№ 230
Credential Harvesting
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
- compliance№ 807
PCI DSS
A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.