by Randy Paszek, Senior Sales Engineer at Source Defense

What is eSkimming?

eSkimming, Magecart, and formjacking are all terms used to describe website-based attacks that utilize malicious code injected into a webpage to read, write, or change the intended function of the page. These attacks often target payment card data, health information, identity information, or financial account information and are common on modern websites. Companies that have a significant online presence should be aware of the risks and consequences of eSkimming attacks. 

Late last year, Visa warned that 75% of the breaches they investigate involve eCommerce sites, and specifically warned about eSkimming as a new preferred method for cyber criminals. Depending on location and industry, privacy acts such as GDPR and CCPA, standards organizations like PCI, and industry-specific regulations like HIPAA, reinforce the need to prioritize client-side security, particularly against eSkimming security.

Brief History of eSkimming and Magecart Attacks

eSkimming attacks have been around since at least 2014, and initially targeted the Adobe Magento eCommerce platform. These early attacks, known as “Magecart,” demonstrated the effectiveness of using JavaScript as the basis for such attacks. 

As online shopping increased, Magecart groups (at least 13 known groups have been identified) began looking at other platforms and techniques to carry out eSkimming attacks, such as Heroku, WordPress, Shopify, and WooCommerce. Platform-based attacks exploit known vulnerabilities in a platform version, which may allow rogue code to be inserted or run within that platform, potentially affecting any site running that version of the platform.

As delivery networks and code repositories gained popularity, a shift in targets occurred, with repositories like GitHub and Amazon S3 becoming the focus of attacks. Injecting or changing code used across multiple sites allows for efficient, widespread attacks. Third-party based attacks, which use the access granted to third-party code on a site, may be the most dangerous. These attacks use third-party services like analytics, advertising, chatbots, and social media as injection points for malicious code. 

These services typically have full access to every event that takes place during a visitor session, giving access to typed data, survey answers, and account information. Sites that transact data are at risk of third-party based attacks due to the access JavaScript has and the trust that site owners give to external services.

In the same report referenced above, Visa similarly warns about the use of 3rd party supply chain partners as an attack vector. For any organization focused on 3rd party risk, evaluating the corporate website must be a component of that program. 

Ultimately, websites which use JavaScript services for marketing, eCommerce, or user experience enhancements (among other things) have a higher risk of becoming a victim of these attacks.

Latest eSkimming Attack Vectors

More recently, advanced techniques have emerged, such as using a website favicon to store eSkimming JavaScript in the EXIF data for the image, hiding skimmed data in JPEG files, and using randomization to only affect a certain percentage of visitors to a page. These techniques show the evolution of eSkimming attacks as the profitability of stolen data and online transactions increases.

Best Practices to Guard Against eSkimming Attacks

Some things to keep in mind as you try to protect your ecommerce sites against eSkimming:

  • Keeping webapp software up to date with the latest patches and fixes is an important step in preventing eSkimming attacks. 
  • Automating patching processes through patching services and software can also be helpful. 
  • Adhering to industry and government guidelines for securing webapps can make site exploitation more difficult and deter potential attackers.
  • Regulations such as PCI DSS 4.0, CCPA, GDPR, ATT&CK, and NIST CSF offer best practices and guidance for securing data transactions on websites. 
  • Site owners may consult with internal or external GRC analysts or compliance assessors to ensure compliance with necessary regulations.

While these practices can harden webapps, they are not foolproof. It is important to also have monitoring, detection, and prevention tools in place to help incident responders when an attack occurs. 

Tools To Guard Against eSkimming Attacks

There are native browser tools such as sub-resource integrity and content security policy that offer a basic level of protection against eSkimming attacks. 

  • Sub-Resource Integrity (SRI) uses hashes created by the website owner to ensure that only unchanged code can run on a site, but this can limit the use of third-party code and dynamic code on a site, potentially affecting the user experience and limiting the use of analytics and advertising services. 
  • Content Security Policy (CSP) allows website owners to control the origin of scripts, so that only whitelisted script domains can run on a page. These browser-native technologies have their limitations, but can be used in conjunction with more targeted monitoring or protection tools.
  • Monitoring tools can include the use of synthetic traffic and real-time user traffic to detect and report on script origins, connections, behaviors, and events. Knowing the source and behavior of a script can be helpful should one of these behaviors necessitate an investigation.
  • Protection and prevention tools take things a step further, such as using a proxy or proprietary technology to restrict JavaScript access on a page. These solutions, even those that offer automated CSP directives, can react faster than analysts when a script is behaving in unexpected ways.

The Impact of eSkimming Attacks

The consequences of eSkimming attacks for companies can be severe and varied. Penalties for past victims of these attacks have included fines, the funding of victim identity protection services, and the requirement to hire new staff. The largest fine associated with an eSkimming attack, due to GDPR violations, was over $200 million USD (ultimately settled at over $25 million). 

These regulatory violations often come with fines, but in some cases, such as an attack on a clothing company in the USA, they have also resulted in fines, victim funds, the hiring of a director of security, and multiple audits to ensure client-side security and other best practices are followed.

There are also hidden impacts of attacks, such as brand damage and loss of customer loyalty, which can ultimately hurt profits and affect stock prices. Some industries, such as PCI, have their own guidelines for securing payment card data and have the authority to levy fines and even revoke a merchant’s ability to process card payments. Overall, the impact of eSkimming attacks on a business, especially a high-profile one, can be almost immeasurable.

Case Studies

British Airways and GDPR– British Airways was initially fined £183m ($238m) by the UK’s Information Commissioner’s Office (ICO) for data breach of nearly 500,000 customers in 2018, but the fine was reduced to £20m ($26m) due to mitigating factors stemming from the Covid-19 pandemic. British regulators said the fine resulted largely from British Airways not having the necessary client-side security protections in place that could have prevented the breach.

See Tickets eSkimming Attack – Ticketing service provider See Tickets was affected by a card skimming attack that stole financial and personal information from its online customers for 2 1/2 years, however the company was not aware until April 2021 and took a few months to investigate and shut down the malicious activity. The number of people affected by the breach is unknown but is likely to be in the hundreds of thousands.

Segway Magecart Attack – Segway, the manufacturer of self-balancing single-rider vehicles, was the victim of a Magecart attack, which may have exposed up to 600,000 visitors to malicious code embedded within Segway’s web pages. The attack is not unique and it is likely that other organizations have been impacted in a similar way.

Ally Bank Third-Party Access – Ally Bank has notified customers that third-parties had accessed unencrypted usernames and passwords as customers were typing the information into their login fields. The issue is not unique, many other businesses are allowing third-parties to have access to their sites without security or permissions, to skim data from input fields, which could lead to security breaches, identity thefts and financial losses.

eSkimming attacks are a significant threat to modern websites and can result in the theft of sensitive information and financial losses. By taking steps to prevent these attacks, companies can protect their customers and their own interests. Regular updates, secure code repositories, content security policies, and monitoring for suspicious activity are all important measures to take to reduce the risk of eSkimming attacks.

Client-Side Risk Report

Organizations that rely solely on server-side security are highly vulnerable to client-side attacks. The sensitive data, credit card information and PII that your clients entrust you with can be stolen by highly motivated actors, then quickly monetized. Discover insights into security and data privacy compliance issues caused by the third parties that power your site. We will scan your website, detect vulnerabilities, and show you how we can help protect against them.

Schedule a meeting with Source Defense and get your custom report.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.