2025 Eskimming landscape report – A Year of sophisticated evolution in card data theft

2025 ESKIMMING LANDSCAPE REPORT – A YEAR OF SOPHISTICATED EVOLUTION IN CARD DATA THEFT

Over the past year, our weekly updates have tracked a steady and troubling evolution in eSkimming tactics. This week’s newsletter is a special edition: instead of our usual campaign spotlight, we’re releasing our first annual eSkimming Landscape Report.

The good news is that throughout the year, you’ve been kept up to speed with many of the discoveries and have been protected by your Source Defense deployment. The not-so-good news is that on the whole, our findings indicate that adversaries are increasing their sophistication, are responding in an attempt to bypass PCI DSS 4.0.1 controls and are evolving their techniques in a way that parallels those of APT type actors. 

A quick snapshot of what you’ll find in the report: A late-year, globally coordinated operation built on 52 distinct malicious scripts, spanning 12 primary domains and 10+ languages. We anticipate early-year breach disclosures. 92+ distinct campaigns discovered, targeting tens of thousands of ecommerce sites. It is impossible to quantify how many more went undetected.

An alarming evolution of tradecraft with campaigns designed to evade controls in PCI DSS 4.0.1; with scope of attacks far beyond payment pages; and with new techniques for iframe bypass.

For clients who have yet to upgrade to full-site protection, this should be of particular note.

Adversaries are increasingly emboldened, taking advantage of the fact that a majority of merchants still have not addressed eSkimming controls. We also see heavy abuse of trusted services like Google Tag Manager, BunnyCDN, Vercel, CodePen, and Discord. There is a rapid rise of new techniques: double-entry attacks, silent skimming, and newer tactics like payment method injection that can create attack surfaces where none previously existed.

Across all of these emerging attacks, one theme is consistent: attackers are abusing legitimate client-side code and third-party services to quietly harvest payment, credential, and personal data in the browser before it ever reaches your server.

Source Defense closes this gap with behavior-based client-side security that continuously monitors and controls every script on your pages, isolating third-party code, blocking unauthorized access to PCI and PII data, and preventing data exfiltration in real time. Our platform extends protection directly to the point of input, helps you meet PCI DSS 4.0.1 requirements for script inventory and change detection, and gives security and compliance teams clear, actionable visibility into risky script behavior, so you can stay ahead of the next wave of eSkimming and digital skimming attacks without adding operational overhead.

As always, we provide this report in an effort to keep you informed of threat activity targeting organizations such as yours. You should take solace in the fact that you are protected by your Source Defense deployment, but if you have yet to discuss site-wide protection, this should serve as a moment to pause and consider a discussion with our team. You can download the full report by clicking HERE.