Online Skimming – The Emerging Payment Card Fraud

Online skimming hand from computer stealing money and card

Cyber threats are ever growing elements in an era, where data is the most valuable asset. Even when several organizations are upgrading security posture to safeguard sensitive information, hackers are able to steal the data intelligently by tying minute vulnerabilities together, and making it turn out to be a potential attack.

Another internet card fraud is up in the market called Online/Web-based/Digital Skimming, the fraudulent way to skim payment data during Card-Not-Present (CNP) transactions from e-commerce sites. Reports show that attack is carried out by making use of misconfigured networks and brute force attacks.

Recently, PCI SSC has released a bulletin warning e-commerce merchants and service providers to be aware of the emerging card fraud evolving on the internet, mentioning the potentiality of the threat and the steps to be taken to prevent it.

What is Online Skimming?

Skimming is not a new word to the cybersecurity world as the threat has been evolving since 2015. Initially, it used to be card skimming that targeted ATM terminals using physical devices called skimmers, and now it is online skimming, targeting CNP transactions of e-commerce sites with malicious code.

Online skimming is an adverse activity of stealing payment information from e-commerce websites by infecting specific sites with sniffers/ Java Script sniffers. Once the malware is injected, it is very hard to detect the traces of it on the website.

The hacker after gaining access to the website’s payment page starts skimming the payment information such as billing address, CVV2, PAN, card expiration date, etc. during the transaction process without the knowledge of both customer and service provider.

Security researchers often use the term “magecart” to refer to different groups of cybercriminals that perform various types of skimming attacks. Interestingly, these magecart skimmers do not work in coordination but they compete with each other to steal data and sell it to the highest bidder in the dark web.

The Target for Online Skimmers

The malware is targeting the payment application infrastructure, supplied by third party service providers to e-commerce merchants. As per the records of breaches that happened so far, the attackers started with compromising the Content Delivery Network (CDN) implementation of the service providers and modifying JS code with sniffers, which in turn are used by the merchants to support payment transactions.

These sniffers start skimming the sensitive payment information including card details, names, phone numbers and locations that are entered into the e-commerce site during a purchase.

An analysis conducted by VISA’s Payment Fraud Disruption (PFD) and e-commerce Threat Disruption (eTD) made it evident that the attackers used the same infrastructure for all the attacks and they targeted the service providers who hosted the code in more than one CDN.

In July 2019, a shocking number of 17,000 domains, integrated with initially targeted 8 web-based service providers, in April, 2019 were under attack.

It was found that the skimmers used two methods to compromise most of CDNs;

  • By making use of the most common vulnerabilities, i.e. misconfigurations that are present in the CDN implementation such as unpatched systems, unused web pages, files and directories that are not secure etc.
  • By brute forcing into CDN implementation of the service provider

While the approaches to compromise CDNs are different (including the two reasons mentioned above), the same payload named inter digital skimming kit is used in both cases. The payload is widely available in the dark web for downloading, which aims to widely carry out skimming attacks.

Prevention is Better than Cure!

The online skimming attacks are a warning bell to all service providers and merchants. Magecart hackers are using customizable Java Script sniffers that can compromise any e-commerce site that does not have security controls in place. Hence, there is a need to take necessary actions against the emerging threat.

Some of the preventive steps include;

  • Check the code regularly.
  • Regularly update login credentials.
  • As all the attacks happened so far are making use of misconfigured write permissions in a widely-used CDNs to intrude, there is a serious need to properly configure Content Delivery Networks and restrict secured access to CDN implementations.
  • Use a single and secured configuration for all your implementations. Making use of a number of configurations can result in inconsistencies.
  • Take measures like performing penetration testing to identify vulnerabilities, regular patching to check out gaps in time, and maintaining multi-layered security systems can help in a great way and prevent intrusions.
  • It is highly recommended to use “check-out solutions” for merchants and service providers, through which customers can enter the transaction information in a new payment page, redirected away from the actual e-commerce site.


Most importantly, every online shopping site merchant should keep in mind about the best security practices and PCI compliance guidelines as the outcome of a data loss can be unimaginable!

Nitin Bhatnagar
SISA’s Latest
close slider