2025 eSkimming Landscape Report

A year of Source Defense Research on how eSkimming evolved in 2025, and what security teams should do next.

Throughout 2025, Source Defense Research tracked an evolution in eSkimming sophistication. Attacks are  getting harder to spot and easier to scale, adversaries are evolving rapidly and launching campaigns designed to evade common controls and blend into normal web traffic.

This free report breaks down what we observed across the year including:

  • A late year, globally coordinated operation built on 52 distinct malicious scripts, spanning 12 primary domains and 9+ languages. We anticipate early year breach disclosures.
  • 92+ distinct campaigns discovered – targeting thousands of ecommerce sites. It is impossible to quantify how many more went undetected.
  • Alarming evolution of tradecraft with campaigns designed to evade controls in PCI DSS 4.0.1; with scope of attacks far beyond payment pages; with new techniques for iFrame bypass
  • Emboldened adversaries taking advantage of the fact that a majority of merchants still have not addressed eSkimming controls
  • Heavy abuse of trusted services like Google Tag Manager, BunnyCDN, Vercel, CodePen, and Discord
  • Rapid rise of new techniques: double-entry attacks, silent skimming, and newer tactics like payment method injection that can create attack surfaces where none existed.

Recommended for security, IT, GRC, and eCommerce teams responsible for payment security, fraud prevention , PCI DSS Compliance and third-party script risk.

Fill out the form and we’ll send you a link to download the ebook.

92+ Campaigns Documented

What it means: distinct operators and playbooks, not one-off noise. Inside: patterns, shared infrastructure, and repeat techniques.

Click Here

Tens of Thousands of Sites Targeted

This is the floor, not the ceiling. Many compromises don’t leave obvious signals.

Click Here

52-Script Modular Operation

“eSkimming-as-a-service” makes attacks easier to scale and harder to block.

Click Here

30+ GTM IDs Compromised or Abused

Why it matters: one compromised container can affect every page it loads on.

Click Here

About Source Defense

As a PCI Participating Organization and the pioneer in eSkimming security, Source Defense played a role in the development of new requirements for web security found in PCI DSS 4.0.

We’ve helped thousands of the world’s leading brands address these issues. We’ve also been educating merchants, QSAs, PSPs, eCommerce Platform providers and virtually every stakeholder in PCI compliance on the vulnerabilities in modern website design that make eSkimming attacks possible. We’ve made it our misison to provide guidance around ambiguity in the standard; advise on the pros and cons of approaches provided by the council and we recently launched a free assessment, monitoring and management solution for both merchants and their QSAs. 

Scroll
Source Defense
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.