FAKE ANALYTICS THAT STEAL MORE THAN YOUR CREDIT CARD
Attackers discovered a clever way to turn a trusted e-commerce script into an identity theft engine, quietly harvesting far more than just credit card details.
By sitting inside a normal first-party theme file and watching every step of the checkout journey, the skimmer builds a complete profile on each shopper—name, email, phone, physical address, and payment details—creating a “full identity pack” that can be reused for years in fraud, account takeover, and targeted phishing.
Instead of the classic keylogger-style approach, the code continuously scans what’s on the page and then sends the information out in a way that looks a lot like legitimate analytics traffic.
Because it lives in core site logic and avoids obvious hooks into form fields, it can bypass traditional security tools that focus on servers, firewalls, or basic script inventories while quietly enabling long-term identity abuse.
Attack details
The skimmer is embedded directly into a minified first-party JavaScript file in a theme path like catalog/view/theme/bigshop/js/common.min.js. This structure is commonly seen on sites built with OpenCart, an open-source ecommerce platform that many online stores use to run their storefront and checkout experience. In this case, attackers simply chose a standard theme file as a hiding place, so the malicious code looks like part of normal site functionality rather than something separate or suspicious.
The malicious logic is heavily obfuscated and stays dormant until it detects high-value contexts such as checkout or account-related pages. Once active, it uses a timer function (setInterval) to poll the page every few hundred milliseconds, reading the current value of every input, select, and textarea element instead of attaching traditional event listeners that stand out during audits.
This “scrape-all” approach means it automatically collects whatever the shopper enters—first and last name, email, telephone, address fields, login information if present, as well as card number, expiry date, and security code—making the skimmer reusable across thousands of different checkout layouts without customization.
For exfiltration, the script creates new image objects in the browser and appends the stolen data as encoded parameters on requests to an attacker-controlled domain like wireframe.nday[.]net, sometimes sending tiny chunks that resemble behavioral analytics pixels and sometimes sending a larger, consolidated payload with all details.
This mix of high-volume small requests and occasional larger messages lets the attacker both “hide in the noise” of normal analytics and carry out complete identity theft in a single session.
How Source Defense protects you
Source Defense is built to detect exactly this kind of silent, client-side skimmer by focusing on what scripts actually do in the browser rather than where they live or how they are labeled.
In a case like this, Source Defense continuously monitors the behavior of the first-party theme file on sensitive journeys, identifying that it is repeatedly accessing fields that contain PCI data (such as card numbers and CVVs), PII (such as names, emails, phone numbers, and addresses), and even credentials or account-related information when present.
It also tracks the use of risky browser functions like setInterval that continuously scrape form values, and it observes attempts to transfer that data to external domains, especially when they’re blacklisted, as in this case, after the Source Defense research team flagged it as such.
By alerting upon these behaviors, Source Defense gives security teams clear visibility into which script is performing identity-level data collection and exfiltration, on which pages, and in what patterns, so they can rapidly isolate the compromised file, clean it up, and harden their client-side security posture against similar attacks.
How you’d be alerted
For this attack, Source Defense would generate multiple, behavior-based alerts tied directly to what the skimmer is doing in the browser.
Security teams would see alerts indicating that a script is:
- Sending data to a blacklisted domain
- Accessing sensitive payment and personal information fields associated with PCI and PII
- Executing risky actions such as continuous timer-based functions set as setInterval
These alerts appear in the bell notification center for quick attention, roll up into dashboard summaries that highlight unusual script activity, and are reflected in widgets such as “Found in blacklists” and “Script behaviors,” where teams can drill down into exactly which script is touching which data and where that data is going.
When email or webhook integrations are enabled, the same alerts can be forwarded to SIEM, SOAR, or ticketing systems, ensuring that even a skimmer hiding inside a trusted analytics-like pattern still generates a clear, actionable signal across the broader security stack.
Key takeaways
This attack underscores why client-side, behavior-based visibility is essential: a skimmer hidden inside a trusted first-party theme file, silently scraping every form field and exfiltrating data in analytics-style requests, can enable full identity theft and account takeover while remaining invisible to CSP rules, SRI checks, WAFs, and server-side logs that never see what happens inside the browser.
Source Defense focuses on monitoring script behavior directly on sensitive pages—what identity, payment, and credential data scripts access, how they use browser capabilities like timers and storage, and where they try to send that information—so security teams can quickly surface suspicious activity, understand its impact, and respond before “complete profiles” of their customers are built and sold.
By continuously watching these behaviors across checkout and account flows and tying them to clear alerts and rich context, Source Defense helps organizations strengthen PCI DSS 4.0.1-aligned JavaScript monitoring, counter advanced eSkimming and Magecart-style campaigns that go beyond simple card theft, and give customers confidence that the last mile in the browser is no longer a blind spot for identity-focused attacks.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.