Source Defense Research Blog | April 23, 2025
A Familiar Threat Resurfaces in the UK
Our Source Defense Research team has uncovered an active Magecart-style eSkimming attack targeting a major UK-based online homeware retailer among a list of others. This campaign employs the same technique we observed earlier this year on another UK site, and which was publicly documented in February by another company in our field, JScrambler, following an incident on Casio UK. The reappearance of this sophisticated threat underscores its persistence and the urgent need for defenses beyond what current standards require. It also exemplifies a fact that multiple experts in this field have been warning about for quite some time – including leading PCI Forensic Investigators – our adversaries do not isolate their focus to payment pages or embedded iFrames…they target websites as a whole. Of critical importance to note – one of the sites impacted had controls in place to protect the payment page – so, the adversaries took their attack upstream.
Anatomy of the Attack
This latest campaign exemplifies a double-entry attack—a stealthy and highly convincing form of client-side compromise that unfolds in two critical stages:
- Initial Hook on Cart Pages: On product pages where users can add items to their cart, the malicious JavaScript waits in the background, silently monitoring user actions.
- Fake Checkout Flow on Trigger: When the customer clicks on the “Checkout” button, instead of being routed to the legitimate payment process, the script diverts them to a counterfeit payment form. This fake form is skillfully crafted to mimic the retailer’s actual checkout experience, making it nearly indistinguishable to the average user.
From there, any credit card details entered are captured and encrypted before being transmitted to a remote server controlled by the attackers. Once the information is siphoned off, the script redirects the user to the real checkout page, leaving no trace that anything went wrong.
Why PCI DSS 4.0.1 Falls Short
(A.K.A. – Why the Industry as a Whole Warned LOUDLY against Recent Changes to SAQ-A)
This attack provides a textbook example of why PCI DSS 4.0.1 remains insufficient in countering sophisticated client-side threats. While we are engaged with the community, and supportive of the effort and focus on this major area of fraud, it falls short in the face of adversarial tradecraft. This is precisely why we warned against the changes to SAQ-A which put undo emphasis on securing iFrames – and why we, along with one of the most respected QSACs in the industry (CoalFire) emphasized a need to focus on site wide protection in this whitepaper.
The requirements under PCI DSS 4.0.1 primarily emphasize protection around the payment page, but in far too many cases, adversaries launch their attacks before the user reaches that endpoint.
The threat actor never touches the legitimate payment page—instead, they insert themselves earlier in the process, where traditional detection and compliance frameworks offer little to no visibility or control. As such, organizations that rely solely on PCI DSS adherence risk being blindsided by attacks like these.
How Source Defense Clients Are Protected
In our consultation with our clients, we strongly emphasize the need for site wide protection. When deployed in a full site capacity – at nominal additional cost to focusing solely on payment pages, Source Defense clients are uniquely shielded from this type of attack through our patented eSkimming security technology. When deployed site wide, as opposed to just on payment pages, our platform provides comprehensive protection across the entire customer journey through several key mechanisms:
- Full Journey Protection: Our solution doesn’t just safeguard the payment page—it monitors and controls script behavior across all pages, including product and cart pages where this specific attack begins.
- Real-Time Behavioral Analysis: Our technology continuously analyzes script behavior in real-time, detecting suspicious activities such as unauthorized form creation, event hijacking, and DOM manipulation that are hallmarks of double-entry attacks.
- Automated Prevention: Beyond mere detection, our platform actively prevents malicious scripts from executing their intended actions. When a double-entry attack attempts to hijack the checkout process, Source Defense immediately blocks the script from creating fake payment forms or redirecting user flow.
- Script Isolation: Through our proprietary sandboxing technology, all third-party scripts (including potential malicious ones) are isolated from sensitive page elements and user inputs, preventing them from accessing form data even if they attempt to bypass other controls.
This comprehensive approach ensures that even if attackers evolve their techniques beyond what compliance frameworks anticipate, Source Defense clients maintain robust protection against emerging threats.
Real-Time Detection Is Essential
While the attacker’s strategy is deviously elegant, Source Defense successfully identified the malicious script behavior in real-time. By continuously monitoring for unauthorized script behavior and DOM manipulations, we are able to block this type of attack before any sensitive data is compromised.
The incident reinforces the necessity of runtime client-side protection—a defensive layer that understands how scripts behave and can intervene when they deviate from normal workflows, even in subtle ways.
Closing the Gap in Payment Security
This incident comes at a critical time as merchants react to recent last minute changes, struggle to understand exactly what to do, and rush to implement solutions for PCI DSS 4.0.1 compliance. While requirements 6.4.3 and 11.6.1 represent positive steps toward addressing client-side security, they primarily focus on the payment page itself rather than the entire customer journey.
The double-entry attack methodology circumvents these controls by:
- Operating outside the defined “payment page” scope
- Intercepting the user journey before they reach protected areas
- Never directly interfering with the legitimate payment flow
For effective protection, merchants need a solution that secures the entire user journey—from product browsing to cart addition to checkout completion.
Conclusion
This renewed campaign demonstrates that attackers are refining and reusing successful skimming techniques. They are reacting to the new focus on eSkimming security by using the guidance in PCI DSS 4.0.1 to their advantage. “Ah – they’re securing the payment page? Let’s go up stream on the sites we attack!” The web threat landscape is evolving faster than compliance frameworks can adapt, and businesses must take proactive measures to protect their customer data.
Source Defense is the pioneer in client-side security, providing real-time protection against threats like eSkimming, Magecart, formjacking, and digital skimming. Our patented technology meets and exceeds PCI DSS 4.0.1 requirements while securing the entire customer journey. Contact us today for a free risk assessment of your website.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
