Credit Card Skimmers | NOC.org

What Are Credit Card Skimmers?

Credit card skimmers, also known as web skimmers or digital skimmers, are malicious scripts injected into ecommerce websites to steal payment card information during the checkout process. Unlike physical skimming devices attached to ATMs or point-of-sale terminals, web skimmers operate entirely in software. They intercept credit card numbers, expiration dates, CVV codes, and billing addresses as customers type them into payment forms, then transmit the stolen data to attacker-controlled servers.

This class of attack gained widespread attention under the name Magecart, which originally referred to a specific group of threat actors targeting Magento ecommerce platforms. The term has since become a general label for any JavaScript-based credit card skimming attack, regardless of the target platform. Magecart-style attacks have compromised major brands including British Airways, Ticketmaster, Newegg, and thousands of smaller online retailers.

How JavaScript Skimmers Work

Injection

The first step in a skimming attack is injecting malicious JavaScript into the target website. Attackers accomplish this through several methods:

• Direct compromise: Exploiting vulnerabilities in the ecommerce platform, such as SQL injection, cross-site scripting, or unpatched admin panels, to modify the site's JavaScript files or inject inline scripts into checkout pages.
• Third-party supply chain: Compromising external JavaScript libraries, analytics services, chat widgets, or advertising scripts that the target site loads. When the third-party script is modified at the source, every site that includes it is automatically infected.
• Compromised admin credentials: Using stolen credentials obtained through brute force attacks, phishing, or credential stuffing to log into the site's admin panel and modify template files directly.
• Compromised hosting environment: Gaining access to the web server through server-level vulnerabilities and modifying files directly on disk.

Data Capture

Once injected, the skimmer script monitors the page for payment form activity. Modern skimmers use sophisticated techniques to capture data:

• Form hooking: The skimmer attaches event listeners to payment form fields, capturing input values on every keystroke or when the form is submitted.
• Form overlay: Some skimmers create a fake payment form that sits on top of or replaces the legitimate one. The customer sees what appears to be the normal checkout form, but all data goes to the attacker. After capture, the data may be passed through to the real form so the transaction completes normally.
• iframe injection: The skimmer injects a malicious iframe that loads a fake payment form from an external domain, styled to match the target site perfectly.
• Mutation observers: Advanced skimmers use JavaScript MutationObserver to detect when payment form elements are added to the DOM, even if they are loaded dynamically or within iframes from payment processors.

Exfiltration

Stolen payment data must be sent to the attacker without triggering security alerts. Common exfiltration methods include:

• Image requests: Encoding the stolen data as URL parameters in a request for a fake image file on an attacker-controlled domain. This appears as a normal image load in network traffic.
• Beacon API: Using the navigator.sendBeacon() method to send data asynchronously, even when the page is being unloaded during form submission.
• WebSocket connections: Establishing persistent connections to exfiltration servers for real-time data transfer.
• Encoded POST requests: Sending data via XHR or Fetch to domains designed to look like legitimate analytics or CDN services, with the stolen data base64-encoded or encrypted in the request body.

Exfiltration domains are carefully chosen to blend in. Attackers register domains that resemble legitimate services, such as google-analytics-cdn.com or jquery-cdn.net, making the outbound requests appear routine.

Notable Magecart Campaigns

Several high-profile incidents illustrate the scale and sophistication of web skimming attacks:

• British Airways (2018): Attackers modified a JavaScript file on the British Airways website and mobile app, capturing payment data from approximately 380,000 transactions over a two-week period. The airline was later fined 20 million GBP under GDPR.
• Ticketmaster (2018): A supply chain attack compromised a third-party chatbot script provided by Inbenta Technologies. Every site loading the script, including Ticketmaster, was infected. Thousands of customers were affected across multiple countries.
• Magento stores (ongoing): Automated attacks routinely scan for and compromise Magento stores running outdated software. Thousands of stores have been infected simultaneously in coordinated campaigns that exploit known vulnerabilities.

Evasion Techniques

Modern skimmers use increasingly sophisticated evasion techniques to avoid detection:

• Obfuscation: Skimmer code is heavily obfuscated using variable renaming, string encoding, dead code insertion, and control flow flattening to make analysis difficult.
• Conditional loading: The skimmer only activates on checkout pages, checking the URL path or DOM elements before executing. On other pages, the script does nothing.
• Anti-debugging: Skimmers detect developer tools, debugger statements, and virtual machine environments, disabling themselves when they suspect analysis.
• Server-side injection: Instead of modifying JavaScript files, some skimmers are injected via server-side code (PHP, Python) that dynamically adds the malicious script only to checkout page responses, making file-based scanning ineffective.
• Steganography: Some campaigns have hidden skimmer code within image files, social media sharing icons, or CSS files, extracting and executing the code at runtime.

PCI Compliance Implications

The Payment Card Industry Data Security Standard (PCI DSS) establishes requirements for any business that processes, stores, or transmits cardholder data. Web skimming attacks directly violate several PCI DSS requirements, and a compromised merchant faces serious consequences:

• Requirement 6: Develop and maintain secure systems and software. A skimmer indicates a failure to maintain secure code and patch vulnerabilities.
• Requirement 11: Regularly test security systems and processes. The presence of a skimmer suggests insufficient monitoring and testing.
• PCI DSS 4.0 (Requirements 6.4.3 and 11.6.1): The latest version of PCI DSS explicitly addresses client-side security, requiring merchants to manage all JavaScript executed in the consumer's browser on payment pages and implement mechanisms to detect unauthorized changes.

Consequences of a skimming breach include fines from payment card brands, increased transaction processing fees, mandatory forensic investigations at the merchant's expense, potential loss of the ability to process card payments, and liability for fraudulent transactions made with stolen card data.

Detection Methods

Detecting skimmers requires monitoring both server-side files and client-side behavior:

• File integrity monitoring: Track all changes to JavaScript files, PHP templates, and other files involved in rendering checkout pages. Any unauthorized modification should trigger an immediate alert.
• Content Security Policy (CSP): Implement strict CSP headers that limit which domains can serve JavaScript on your checkout pages. CSP violation reports will alert you if injected scripts attempt to load resources from unauthorized domains.
• Subresource Integrity (SRI): Use SRI hashes on all external JavaScript includes. If a third-party script is modified, the browser will refuse to execute it.
• Client-side monitoring: Deploy JavaScript monitoring solutions that detect DOM modifications, unauthorized network requests, and unexpected form element interactions on payment pages.
• External scanning: Regularly scan your checkout pages with external tools that analyze the full page rendering, including all loaded JavaScript, for known skimmer patterns.
• WAF protection: A web application firewall can block many of the server-side attacks used to inject skimmers in the first place, preventing the initial compromise.

Prevention Best Practices

• Keep your ecommerce platform, plugins, and all server software updated to the latest versions.
• Use a hosted payment form from your payment processor (such as Stripe Elements or PayPal's hosted fields) so that card data is entered into an iframe served by the processor, never touching your server.
• Deploy a cloud-based WAF to protect against the vulnerabilities attackers exploit to inject skimmers.
• Implement Content Security Policy headers to restrict JavaScript execution to trusted sources.
• Use Subresource Integrity on all third-party scripts.
• Conduct regular security audits and penetration testing of your checkout flow.
• Monitor your site's JavaScript behavior in production to detect unauthorized modifications.
• Limit admin access to the minimum number of users necessary and enforce two-factor authentication.

Summary

Credit card skimmers represent one of the most financially damaging forms of website compromise. Magecart-style attacks have affected organizations of all sizes, from global enterprises to small online shops. The attacks are increasingly sophisticated, using obfuscation, supply chain compromise, and conditional execution to evade detection. PCI DSS 4.0 now explicitly requires merchants to address client-side JavaScript security on payment pages. Protecting your ecommerce site requires a combination of regular patching, hosted payment forms, Content Security Policy, file integrity monitoring, and a web application firewall.

Safeguard your ecommerce site from skimmers and other threats. Explore NOC's security plans to protect your customers and your business.