Web Skimming
Web skimming, often referred to as digital skimming or formjacking, is a cyberattack technique in which attackers inject malicious JavaScript into a legitimate website to harvest sensitive user data. This data typically includes credit card numbers, billing addresses, and login credentials entered into payment forms.
Unlike a data breach where hackers break into a server to steal stored databases, web skimming occurs on the client side—inside the customer's browser. The theft occurs in real time as the user types the information, often before the data is encrypted or sent to the website’s server.
How Web Skimming Attacks Work
The mechanism of a web skimming attack relies on the compromised integrity of a website's frontend code. The process generally follows these steps:
Injection: Attackers gain access to a website's source code or to the code of a third-party service used by the website (e.g., a live chat widget, analytics tool, or advertising script). They insert a small, obfuscated piece of malicious JavaScript.
Execution: When a customer visits the checkout page, the malicious script is loaded alongside the legitimate website content. The browser cannot distinguish between safe and malicious code.
Interception: As the customer types their payment details into the forms, the script "listens" to the keystrokes or monitors the form fields.
Exfiltration: The script copies the captured data and silently sends it to an attacker-controlled server (the Command and Control server). The legitimate transaction still proceeds normally, leaving the user and the merchant unaware that a theft has occurred.
Synonyms and Related Terms
In the cybersecurity industry, web skimming is often discussed using several interchangeable terms:
Magecart: A consortium of cybercriminal groups best known for popularizing web skimming attacks. The term is often used as a synonym for the attack style itself.
Formjacking: This term describes the specific action of hijacking the functionality of a web form to steal its contents.
Client-Side Supply Chain Attack: This describes the attack vector, noting that the vulnerability was introduced via a third-party supplier (the supply chain) and executed on the user's device (client-side).
Why Web Skimming is Difficult to Detect
Web skimming is particularly dangerous because it evades many traditional security controls.
It Bypasses HTTPS and Encryption SSL/HTTPS encryption protects data while it travels from the browser to the server. Web skimming captures the data before it is encrypted for transmission. Because the theft happens at the input field level, the secure connection tunnel does not protect the data.
It Hides in Third-Party Code Modern websites load dozens of scripts from external vendors (like Google Analytics, Facebook Pixel, or customer support bots). Attackers often compromise these external vendors rather than the target website directly. Security teams often lack visibility into the code changes made by these third-party providers.
It Executes on the Client Side Because the malicious script runs on the customer's browser, the server-side security logs and firewalls (WAFs) of the merchant often show no signs of suspicious activity.
Prevention and Mitigation Strategies
Securing a website against web skimming requires a focus on client-side security and script management.
Content Security Policy (CSP): Implementing a strict CSP is the most effective defense. This HTTP header tells the browser which domains are authorized to execute scripts and where data can be sent. A properly configured CSP can prevent the malicious script from sending stolen data to the attacker's server.
Subresource Integrity (SRI): SRI allows the browser to verify that a fetched file (like a JavaScript library) has not been manipulated. It uses a cryptographic hash to ensure the file matches the expected version; if the hash does not match, the code will not run.
External Attack Surface Monitoring: continuous monitoring of the website's external code dependencies to detect unauthorized changes or new, suspicious network requests.
Script Sandboxing: Isolating third-party scripts in iframes or using virtual environments to limit their access to sensitive form fields on the main page.
Frequently Asked Questions
What is the difference between phishing and web skimming? Phishing involves tricking a user into visiting a fake website to enter their credentials. Web skimming occurs on the legitimate website that the user intended to visit; the site itself is compromised, making the attack much harder for a user to detect.
Does a firewall protect against web skimming? A traditional network firewall or Web Application Firewall (WAF) typically protects the server. Since web skimming occurs in the user's browser, traditional WAFs often cannot detect or block data exfiltration unless they include specific client-side protection features.
Who is the primary target of web skimming? E-commerce retailers, travel booking sites, and any online platform that processes credit card payments are the primary targets. However, any site with a login form can be targeted to steal user credentials.
Can antivirus software detect web skimming? Sometimes. Advanced antivirus or endpoint detection and response (EDR) tools running on the user's computer may detect known malicious domains or scripts, but they are not a guaranteed defense against new, zero-day skimming scripts.
ThreatNG and Web Skimming Defense
ThreatNG counters the threat of Web Skimming (Magecart) by managing the external attack surface where these attacks originate. Since web skimming often exploits "Shadow IT," unmonitored third-party scripts, and exposed cloud infrastructure, ThreatNG’s ability to map the entire digital ecosystem from an outside-in perspective provides the visibility needed to detect these unauthorized changes before they result in data exfiltration.
External Discovery of Script Dependencies
Web skimming attacks frequently target the supply chain rather than the main server. ThreatNG’s External Discovery engine automatically maps the entire web ecosystem to find the hidden "side-doors" attackers use to inject malicious JavaScript.
Third-Party Asset Identification: ThreatNG identifies all external resources connected to the organization's domain. This includes discovering every third-party script, chatbot, and analytics tool running on the company's web properties. By creating a complete inventory of these external dependencies, ThreatNG eliminates the blind spots where skimming code hides.
Shadow Site Discovery: Attackers often test skimming scripts on forgotten development subdomains or old marketing microsites before moving to production. ThreatNG discovers these "Shadow IT" assets (e.g.,
dev-checkout.company.com) by crawling the surface, deep, and dark web. Identifying these neglected entry points prevents them from becoming staging grounds for broader attacks.
External Assessment of Infrastructure Integrity
Once web assets are discovered, ThreatNG uses its Assessment Engine to evaluate their integrity and susceptibility to manipulation. This helps prevent the initial injection of skimming code.
Cloud Infrastructure Assessment: Many skimming attacks begin with a misconfigured AWS S3 bucket or Azure Blob Storage container with "Public Write" access. Attackers simply overwrite a legitimate JavaScript file hosted in the bucket with a malicious version. ThreatNG assesses cloud resources to identify these permission errors.
Example: ThreatNG identifies an S3 bucket named
assets-js-prodlinked to the main e-commerce site. The assessment engine flags this bucket as "Publicly Writable." This alert allows the security team to lock down the bucket immediately, preventing an attacker from modifying thecheckout.jsfile hosted there.
Vendor Reputation and Financial Health: A vendor in financial distress is often a security risk (due to staff cuts or lack of maintenance). ThreatNG assesses the Financial and Legal health of third-party script providers.
Example: ThreatNG detects that a provider of a "Customer Reviews" widget used on the checkout page has filed for bankruptcy and has pending litigation. This "Business Resource" assessment warns the organization that the vendor may no longer be patching its systems, making the vendor's script a high-risk vector for a supply-chain skimming attack.
Investigation Modules for Threat Hunting
ThreatNG’s investigation modules allow analysts to proactively hunt for signs of skimming campaigns targeting their brand or infrastructure.
Sanitized Dark Web Investigations: ThreatNG provides a safe, navigable, and sanitized copy of dark web sites. This allows security teams to search for their brand name or specific asset identifiers in hacker forums where skimming kits are sold or stolen credit card data is auctioned.
Example: An analyst uses the investigation module to search for the company's domain on a dark web marketplace. The "sanitized copy" feature allows them to view a listing for "Fresh Sniffed Cards from [Company Name]" without exposing their browser to malware. This confirms that active skimming is occurring, triggering an immediate incident response.
Domain and DNS Investigation: If a suspicious domain is noted in web logs (e.g., data being sent to
cdn-googIe-analytics.com), ThreatNG allows for a guided investigation of that domain. It can reveal if the domain was recently registered or is hosted on known bulletproof hosting, confirming it as a skimming Command and Control (C2) server.
Intelligence Repositories for Skimming Context
ThreatNG leverages its vast intelligence repositories to provide context on potential skimming threats.
Dark Web Resources: The platform continuously ingests data from dark web sources. If a new Magecart group announces a campaign targeting a specific e-commerce platform (like Magento or Shopify) that ThreatNG knows the organization uses, the system correlates this intelligence. It alerts the user that their specific technology stack is currently being actively targeted by skimmers.
Legal and Regulatory Data: By monitoring legal filings, ThreatNG can identify if a third-party partner has recently been sued for a data breach. This intelligence serves as an early warning that the partner’s security posture is compromised, prompting the user to remove that partner's scripts from their payment pages.
Continuous Monitoring for Code Integrity
Web skimming is a persistent game; attackers wait for a window of opportunity. ThreatNG’s Continuous Monitoring ensures that the external view is always current.
Change Detection: ThreatNG monitors the digital footprint in real-time. If a new, unknown subdomain appears or a new third-party connection is established on the checkout page, the system triggers an alert.
Persistent Risk Scoring: The platform continuously recalculates risk scores as new data arrives. If a previously safe third-party vendor suddenly appears in a "Compromised Credentials" dump in the dark web repository, their risk score spikes. This prompts the security team to investigate the vendor's access, potentially preventing a supply chain hijack.
Reporting
ThreatNG consolidates these findings into a Single Pane of Glass report that translates technical skimming risks into business terms.
Executive Visibility: A report might highlight "High Risk in Digital Supply Chain" rather than listing raw script filenames. This helps CISOs communicate to the board that reliance on unvetted third-party widgets is a financial liability.
Configurable Categories: Security analysts can configure reports to focus strictly on "Technical Resources" and "Cloud Infrastructure" to get a daily digest of new script assets and bucket exposures relevant to skimming defense.
Complementary Solutions
ThreatNG provides the intelligence and discovery data that power the enforcement tools that block skimming attacks.
Content Security Policy (CSP) Management ThreatNG builds the allowlist for CSP.
Cooperation: A CSP relies on knowing exactly which scripts are allowed to run. ThreatNG’s External Discovery creates the definitive inventory of all legitimate scripts and domains currently in use. The security team uses this inventory to configure the CSP headers. If ThreatNG detects a new, unauthorized script, the CSP acts as the enforcement layer to block it, while ThreatNG issues an alert indicating that the policy needs updating or investigation.
Web Application Firewalls (WAF) ThreatNG feeds threat intelligence to the WAF.
Cooperation: ThreatNG identifies malicious domains and C2 servers through its Dark Web and Reputation resources. It feeds these indicators of compromise (IOCs) to the WAF. The WAF then blocks any outgoing connection attempts from the user's browser to these malicious domains, effectively severing the "Exfiltration" phase of a skimming attack.
Client-Side Protection Platforms ThreatNG validates the scope of protection.
Cooperation: Client-side protection tools monitor JavaScript execution in real-time. ThreatNG acts as the auditor for these tools. It discovers "Shadow Assets" (like forgotten landing pages) that the client-side protection tool might not be installed on. By identifying these gaps, ThreatNG ensures the protection platform is deployed across 100% of the external attack surface.
Frequently Asked Questions
How does ThreatNG detect skimming if it doesn't look at the code? ThreatNG focuses on the conditions that enable skimming (exposed buckets, malicious vendors, shadow sites) and the symptoms of a breach (stolen data on the dark web). It finds the open doors that skimmers walk through.
Can ThreatNG help with third-party skimming attacks? Yes. By assessing the Reputation, Legal, and Financial status of your vendors, ThreatNG predicts which vendors are likely to be compromised. It also maps which vendors are connected to your site, giving you a map of your supply chain risk.
What is the role of the "Sanitized Copy" in skimming investigations? It allows analysts to visually confirm if their customer data is being sold on carding forums without risking infection from the dark web site itself. This provides definitive proof of a breach.
