by Source Defense
From Opportunistic Crime to Industrial-Scale Operations
Throughout 2025, Source Defense Research observed a decisive shift in the global eSkimming threat landscape. This blog acts as an executive summary of our 2025 research report – the full report can be downloaded HERE.
A major shift has occurred in adversarial tradecraft. What was once dominated by opportunistic script injections has matured into a professional, highly coordinated ecosystem designed to evade modern security controls, exploit gaps in how organizations think about payment page protection, and bypass efforts by the PCI Security Standards Council to address eSkimming in PCI DSS 4.0.1
Over the course of the year, Source Defense identified more than 92 distinct eSkimming campaigns impacting thousands of e-commerce sites worldwide. These were not isolated incidents. They were persistent, adaptive operations that demonstrate one clear reality: eSkimming has evolved faster than most defensive strategies – and the DSS as written provides a false sense of security.
The Big Picture: Why 2025 Was Different
The defining characteristic of 2025 was scale with sophistication. Attackers increasingly behaved like commercial operators, not lone criminals. In late 2025, Source Defense uncovered a globally coordinated campaign operating across 52 modular malicious scripts, targeting multiple payment platforms, languages, and regions. This was not experimentation. It was infrastructure.
This campaign, and others like it, confirm that eSkimming has entered an “as-a-Service” era, complete with modular tooling, regional customization, redundancy, and quality control. Attackers are no longer just stealing cards. They are building platforms.
Key Findings That Matter to Executives
1. Trust Is the Primary Attack Surface
Attackers consistently exploited trusted technologies rather than breaking through perimeter defenses. The vast network of third-party scripts found across modern websites, Google Tag Manager, first-party scripts, CDNs, cloud platforms, and collaboration tools were all abused as delivery or exfiltration channels. When malicious activity is delivered through services that organizations already trust, traditional allowlists and reputation-based defenses fail silently.
This exposes a fundamental weakness in security models that assume “trusted source equals trusted behavior.” It also exposes a fundamental issue with guidance provided in the PCI DSS which emphasizes Content Security Policy and Sub Resource Integrity as effective controls against eSkimming.
2. Payment Page–Only Security Is No Longer Effective
Many attacks in 2025 never touched the payment page itself. Instead, they staged activity earlier in the customer journey: cart pages, shipping flows, account creation, or injected entirely new payment options into checkout experiences.
In one notable technique, attackers dynamically added payment methods that did not exist in the merchant’s original configuration. Sites that believed they were immune because they relied on off-site payment redirects were compromised anyway. The assumption that “we don’t host a payment form, so we’re safe” is now demonstrably false.
Also false is the assumption found within the PCI DSS that compliance and security scope should be limited to payment pages as opposed to the entire website.
3. Silent Skimming Has Become the Norm
Rather than disrupting checkout flows with obvious fake forms, attackers increasingly harvested data invisibly. Payment details were captured in the background, staged locally, and exfiltrated later using encrypted or indirect methods that bypassed page-level controls.
From a customer’s perspective, the transaction appeared to succeed. From a merchant’s perspective, nothing looked broken. This shift dramatically increases dwell time and damage while reducing detection.
4. Legitimate Infrastructure Is Being Weaponized
In 2025, stolen payment data was routinely sent to platforms like cloud hosting services, CDNs, and collaboration tools. When exfiltration traffic goes to well-known providers instead of suspicious domains, legacy detection approaches lose effectiveness.
This trend underscores a critical shift: the line between malicious and legitimate infrastructure has blurred, and security strategies must adapt accordingly.
5. eSkimming Is Now Industrialized
The 52-script modular campaign uncovered late in the year marks a turning point. This was not a one-off success. It was evidence of a repeatable business model with centralized control, localization, redundancy, and persistence mechanisms.
Attackers demonstrated the ability to:
- Adapt payloads by geography and payment provider
- Maintain access through compromised administrator accounts
- Evade forensic analysis and mislead defenders
- Scale rapidly across hundreds of sites
This level of maturity places eSkimming firmly in the category of organized cybercrime, not edge-case fraud.
What This Means for Security and Business Leaders
The events of 2025 highlight a growing gap between compliance-driven controls and real-world risk. A narrow focus on payment pages, static policies, or trusted domains creates blind spots that modern attackers are actively exploiting.
Executives should take away three core lessons:
- Visibility must extend across the entire customer journey, not just checkout
- Behavior matters more than source when evaluating script risk
- Prevention must happen in real time, before data leaves the browser
Organizations that continue to rely on legacy assumptions will increasingly find themselves compliant on paper but exposed in practice.
Looking Ahead
Source Defense Research expects these trends to accelerate in 2026. As attackers refine their platforms and adopt automation and AI-driven techniques, the cost of inaction will continue to rise – financially, operationally, and reputationally.
The good news is that this risk is manageable when addressed directly. Organizations that take a behavior-based, site-wide approach to client-side security are far better positioned to stop eSkimming before damage occurs.
Read the Full Report
This blog only scratches the surface. The full 2025 eSkimming Landscape Report details the campaigns, techniques, and implications uncovered by Source Defense Research, along with forward-looking insights every e-commerce and security leader should understand.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.