Europol Identifies 400 Online Merchants as Victims of E-Skimming

More than 400 online merchants were found to be infected with e-skimmers following a coordinated international action by law enforcement.

The two-month campaign by Europol and law enforcement agencies in 17 countries identified infected e-commerce sites and alerted them that their customers’ card data had been compromised.

It resulted in two dozen new e-skimmers, i.e. malicious software or ‘malware’ types, being identified. These include AngryBeaver, ATMZOW, FirstKiss, FakeGA, health_check, Inter and R3nin.

What is E-skimming?

E-skimming, or digital skimming, involves stealing sensitive data inputted by users into web forms. Frequently this is payment data from online checkout pages, although it also includes personally identifiable information, or PII for short, from other web forms.

E-skimming goes by many names, including digital skimming, data skimming, and formjacking. Then there are the more specific terms of JavaScript attacks or Magecart attacks, which hint at how skimming works.

Criminals exploit vulnerabilities in a website’s code or infrastructure to harvest data. These attacks are hard to detect as the payment process is unaffected. The customer gets their goods or services and the merchant gets paid. Both parties are unaware that a compromise may have occurred.

LEARN MORE How to Strengthen E-commerce Security Against E-skimming Threats

How Does E-skimming Work?

In general, there are four stages in an e-skimming attack:

1. Initial breach

Criminals gain access to the source code of the server of an online store either as a first-party attack or by compromising a third party. Often this is by exploiting software vulnerabilities, deploying malware, or using stolen (or phished) credentials.

2. Code injection

Criminals inject malicious code to compromise payment pages. They evolve their methods. And tailor them depending on whether payment forms appear directly on pages or are embedded using an iFrame.

JavaScript attacks, as the name suggests, target the programming language used by more than 98% of websites to create interactive pages. 

Magecart attacks are named after ‘Magento’, the primary open-source e-commerce platform, and shopping ‘cart’. Magecart also refers to the criminal group active since 2015 carrying out such attacks.

3. Data exfiltration

The harvesting of data occurs when consumers enter their payment details to complete their purchases on compromised payment pages. The malicious code covertly skims and collects the information, often encrypting it, before sending it to the attacker’s remote server.

4. Monetization

Criminals monetize stolen data by using it to make unauthorized, fraudulent purchases for goods to re-sell for cash. Or by selling the data to other criminals.

How Did We Get Here?

The Internet was designed for sharing and collaboration not necessarily banking and shopping. How web applications are built has also changed over time. 

The business intelligence has moved from web servers, owned and managed by companies, into the consumer web browser, powered by JavaScript, distributed APIs, and microservices.

As a result, any JavaScript running on a browser can access all data entered into form fields on that page. With no separation between different application parts, this makes payment pages susceptible to client-side attacks, such as skimming.

What’s the Solution?

Don’t underestimate the importance and effectiveness of business-as-usual security. There are various steps e-commerce businesses can take to protect themselves from e-skimming attacks and prevent unauthorized access to sensitive data. 

These range from conducting regular security assessments, monitoring, and third-party due diligence to deploying secure code and adhering to payment security standards (PCI DSS).

The latter is becoming increasingly important as version 4.0 of the PCI DSS contains two new requirements to protect against and detect these e-skimming attacks on payment pages. These will be requirements from 01 April 2025.

The first requirement (6.4.3) is designed to minimize the attack surface and manage all JavaScript present on the payment page. The second requirement (11.6.1) aims to detect tampering or unauthorized changes to the payment page and generate an alert when changes are detected.

Jscrambler Client-Side Protection Platform

The Jscrambler Client-Side Protection Platform safeguards first-party JavaScript through state-of-the-art obfuscation and exclusive runtime protection.

Its fine-grained JavaScript behavioral analysis also mitigates threats and risks posed by third-party tags all while ensuring compliance with the new PCI DSS v4.0 standard. With Jscrambler, businesses adopt a unified, future-proof client-side security policy all while achieving compliance with emerging security standards.

Trusted by digital leaders from several industries, including financial, healthcare, and entertainment, Jscrambler gives businesses the freedom to innovate securely.

Feel free to try all Jscrambler features with a free trial or book a demo with our client-side security experts.