How eSkimming Attacks Are Becoming More Stealthy: A Look Back at 2025 Trends

by Source Defense

If you still picture “eSkimming” as a problem connected to a single malicious script slapped onto a checkout page, you’re working from an outdated threat model. Over the past year, we’ve watched eSkimming operators evolve from opportunistic inject-and-grab campaigns into professional, modular operations that blend into normal website behavior, hide inside trusted platforms, and delay exfiltration to evade investigation.

Released at the beginning of this year, Source Defense’s 2025 eSkimming Landscape report  documented 92+ distinct campaigns, including a late-year discovery of a 52-script modular campaign that functioned like “eSkimming-as-a-Service,” with tailored modules by country and payment provider. 

This isn’t just “more attacks.” It’s a different level of operational maturity.

Trend 1: Attacks increasingly “live” inside trusted infrastructure

The most dangerous direction we’ve seen is the continued weaponization of legitimate services. In 2025, Source Defense observed attackers abusing platforms like Google Tag Manager, BunnyCDN, Vercel, Discord webhooks, CodePen, and Google Cloud services to host or exfiltrate skimming data.

That matters because it breaks the instincts many defenders rely on. If your detection model assumes “malicious = sketchy domain,” you will miss a skimmer that phones home through a mainstream cloud service or delivers payloads via a trusted tag manager.

Source Defense also found 30+ unique Google Tag Manager IDs compromised or abused in 2025, with GTM appearing in over one-third of documented attacks. 

When a merchant trusts GTM, it implicitly trusts everything GTM can load, chain, and mutate.

Trend 2: Chain-of-load is the new attack surface

Modern websites don’t load one script. They load a stack: first party code, third-party libraries, tags, pixels – and then those tags load more tags.

In 2025, Source Defense documented “GTM chain attacks” where one compromised container calls another before loading the final payload (multiple examples were observed). 

This technique turns script governance into a graph problem – hard enough when everything is legitimate, nearly impossible when attackers intentionally add depth, indirection, and rapid domain rotation.

Trend 3: Stealth comes from timing, triggers, and “invisible” collection

Stealthy skimming isn’t always about fancy malware. Often it’s about when the skimmer activates and how it moves data.

Source Defense saw multiple patterns that security teams routinely overlook:

  • Event-based triggers: skimmers activated by innocuous browser events like image onerror or SVG onload. 
  • Staging data in localStorage: collecting input, then exfiltrating only after the user leaves the page. 
  • Encrypted, chunked exfiltration: using AES encryption and hiding data in places defenders don’t normally parse (like image filename parameters). 

And critically: cookie-based CSP bypass techniques—where payment data is stored in a cookie and only transmitted on a subsequent page navigation, so the payment page’s CSP never sees the outbound request.

This is the practical reason “set a CSP and call it done” fails in real-world skimming defense.

Trend 4: WebSockets and dynamic delivery reduce forensic footprints

Some of the most consequential technical evolution is the use of WebSockets for bidirectional, real-time code delivery. Source Defense documented WebSocket-based attacks where malicious JavaScript is delivered dynamically – sometimes “never touching disk” – and with multi-domain fallback. 

This aligns with broader industry reporting showing campaigns using heavy obfuscation and dynamic decoding to evade detection and delay investigation. 

Trend 5: Industrialization—modular “platforms,” not one-off scripts

The 52-script modular campaign described by Source Defense wasn’t just bigger; it was structured like a product:

  • A consistent loader signature (variable name jsbc) used across deployments 
  • PSP-specific modules and multi-language localization 
  • Anti-forensics and test-card deception designed to waste responders’ time 

This is what happens when attackers find a repeatable path to profit: they build operational playbooks, automation, and scale.

What defenders should take away

If you want a simple summary of “what changed,” it’s this: trust is the new vulnerability. Modern skimmers don’t need to break your perimeter. They ride your supply chain, hide behind your approved tools, and wait for the right moment to siphon data. That’s why the winning defensive approach is increasingly behavioral: focus less on where a script came from and more on what it’s doing in the browser – especially around sensitive inputs, credentials, and payment data.

Related Posts:

New Magecart Variant Targets UK Retailer in Stealthy Double-Entry Attack
An honest mistake, a costly leak: Credit card eSkimming by accident
GTM: From eSkimming hiding place to control center

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide
Scroll
Source Defense
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.