Blog
Ecommerce Security
Boost Your E-commerce Security Against Eskimming Attacks

Boost Your E-commerce Security Against Eskimming Attacks

With ecommerce attacks on the rise, it's crucial for businesses to learn how to strengthen their ecommerce security.

Jen Stone
Updated
September 27, 2023
Posted
March 23, 2022
Cybersecurity
Data Breaches
Scoping
Security Tools
PCI
Boost Your E-commerce Security Against Eskimming Attacks

Having issues accessing the video above? Watch the video here.

Several years ago the SecurityMetrics Forensics Team started getting an increased number of merchants that were experiencing e-commerce skimming. In one particular case, a merchant was bleeding tons of card data despite having strong security in place. SecurityMetrics forensics ran antivirus scans, checked for malware, ensured their input fields were sanitized, and analyzed their code line by line, but none of these industry-standard efforts showed anything wrong in the merchant’s servers or databases.

At this point, SecurityMetrics Forensic Analyst Aaron Willis (QSA, CISSP, PFI) ran a simulated purchase through the company and found a piece of malicious code attached to a compromised third party. This code was only triggered when a customer filled in the CVV field.

This breach occurred within a company that did everything right—they had layered security and there weren’t any issues with their code. In this case, the third party (i.e., an analysis company that tracked data about shopping carts) had been compromised.

What is e-commerce skimming?

Skimming refers to stealing information at the point of sale, whether that is through an online purchase or a physical card reader. The concept of skimming has been around for decades. In its earliest stages, attackers would overlay a card reader on a card swipe machine. When you swiped your card, the rogue card reader would capture the magnetic data and send it where it could be used by malicious actors.

While this still happens, the majority of skimming has evolved to attacking online sales, thus the newer term “e-commerce skimming.” Other names for e-commerce skimming include formjacking, redirects, key logging, magecart attacks, and javascript skimming.

Skimming isn’t limited to the point of sale. Attackers have adapted this concept to skim all kinds of sensitive data, such as healthcare data, names, phone numbers, addresses, and social security numbers.

Any time you type something into a field on a website, skimming techniques can be applied to take your personal information. Online banking and medical record applications are other examples of high-value targets susceptible to skimming.

Why is eskimming becoming a popular attack technique?

People increasingly use the internet for purchasing, banking, selling, socializing, and more, especially due to Covid19. This shift from brick-and-mortar environments to the internet resulted in more online transactions with easier access to data. This makes the internet an even larger target for online criminals.

Skimming is costly. Even for smaller businesses, a breach costs $200,000 on average. Once you have experienced a security breach, the likelihood that it will happen again significantly increases.

Can you detect eskimming?

Skimming is extremely difficult to detect. In some cases, eskimming can go unnoticed for years. There is a lot of code on a page to evaluate for compromises. Additionally, eskimming has a much broader attack surface because it contains third-party scripts such as business analytics and advertising networks, making it easier for threat actors to attack. Threat actors run reconnaissance scripts, bot traffic, and other strategies to skim information.

Because online criminal activity is automated, the amount of attacks is greater. If you shut down one attack, there are more right behind it. About 4000 websites a day are getting hit with skimming attacks.

How does eskimming work?

It depends on how the attackers are operating.

If they have a connection to the merchant’s webserver and the merchant’s credentials have been compromised, attackers can put programming code directly on the webpage itself. This way, attackers can capture that data as it is entered by a customer. If they have access to the database server, they can access data stored in databases and insert malicious code to steal information at various points of the transaction process.

Attackers may remove file integrity monitoring from a checkout page so they can modify code undetected. We have seen skimming code stored in dropdown lists that populate state or country drop-down boxes. Skimming can also occur through a compromised third-party script library.

Eskimming is especially tricky to detect because no one knows anything is wrong since everything looks and functions as expected. Skimming steals information without disrupting the regular flow of business

Why is scoping important to e-commerce security and skimming prevention?

One of the ways to combat eskimming is to ensure that your scope is correct. Correct scoping ultimately helps you be aware of all aspects of your network. When you are conscious of the details of your network, you can take appropriate steps to protect it. This will also benefit you if you do get hit with skimming because you will be able to evaluate your whole network and won’t forget about aspects of your network that attackers may be likely to use to skim data.

Your PCI scope involves anything in your business that processes, stores, or transmits cardholder data, and anything that can initiate a connection to any of the systems that handle cardholder data.

Put simply, any device, process, or employee that involves credit card data is in your PCI scope, which means you are responsible to make sure that card data is properly secure.

Some common devices included in PCI scope can be:

  • POS systems
  • Servers
  • Computers
  • QA systems
  • Databases
  • Software
  • Phones
You’d be surprised how much credit card data your business is unknowingly storing and in some of the most random places.

SEE ALSO: Finding and Reducing PCI Scope: How to Make Compliance Easier

Here are some additional ways to scope your business:

  • Make a card flow diagram: This helps you keep track off and identify where your card data flows in and out of your environment, and what systems are affected by the flow of data
  • Create and maintain policies: Have policies in place for handling card data, securely transmitting data, and keeping the CDE separate from the rest of your business. Defined policies and procedures will give employees direction on how to maintain a compliant environment throughout the year
  • Re-scope your environment annually: Perform and document a scoping exercise annually. Changes to the environment or the threat landscape during the year may affect the scope of the environment. This process should be conducted at least annually to ensure all systems that can affect the security of cardholder data are addressed appropriately
  • Remember the people: While this post focuses on what systems should be included in your PCI scope, remember that the CDE consists of systems, processes, and people. Determine who is involved in receiving and processing cardholder data, and who is involved in securing the technology in the CDE

SEE ALSO: PCI Scope Categories: Keep Your Card Data Separate

What tools can I use to detect eskimming?

To detect eskimming, SecurityMetrics developed web integrity monitoring. Shopping Cart Monitor uses web integrity monitoring to detect eskimming at the point of sale. This technology has the ability to detect malicious activity even on third-party websites that are connected to your shopping cart, which is a feature other security tools

Do other tools detect eskimming?

Each security tool has a specific purpose in cybersecurity, which is why a layered security approach is more successful.

  • FIM (file integrity monitoring) is a vital tool that notifies you when the environment in your shopping cart has changed. The downside is that it requires regular tuning to offer actionable information, or the alerts become so noisy they are ignored. We often see that FIM is working and alerting, but no one is paying attention to the alerts.
    Attackers know that FIM notifies vendors when the shopping cart environment changes so they avoid attacking areas protected by this technology. Instead, they move to areas that FIM can’t protect, such as databases. Since databases are constantly changing, FIM is ineffective at protecting that environment. Hackers will also move to third-party scripts that aren't under the control of the FIM tool.
  • Vulnerability scans are another valuable tool available to vendors. However, vulnerability scans do not have the ability to view changes to the shopping cart page that occur during the checkout process.
    Attackers take advantage of where consumers enter data. For example, a hacker may hide inactive script or malware in the CVV field that activates when a customer fills in payment information. The action of accessing the field triggers the malicious script to grab the customer’s data and then goes dormant again until the next customer comes along.
  • Antivirus is a popular choice for security, but it has limitations. If it can’t see issues, it can’t detect them. It can protect the consumer if it is running on their personal computer while they are shopping online because it may recognize known bad sites. But the merchant won’t get an alert that their site is compromised and the customer might disregard antivirus alerts if they still want the product they are buying.
  • Client-Side Certificates are good at protecting the connection between the merchant’s servers and the customer’s computer. But if the attacker has already compromised the site or database, it's like locking your doors when the attacker is already in your house. Client-side certificates are a great security layer, but they do not directly combat skimming.

The right tool for the job

Shopping Cart Monitor is a preventative software that continuously monitors websites for any suspicious activity within the shopping cart or point of payment and alerts you if it detects an issue. Shopping Cart Monitor catches threats from compromised third parties by finding malware as it operates in real time in the customer’s browser. And, unique to this type of technology, Shopping Cart Monitor does not need to be downloaded.

Aaron Willis, Forensic Analyst (QSA, CISSP, PFI), explains, “Attackers are as innovative a breed of criminal as they come. Shopping Cart Monitor is important because it helps us continually stay in front of those attackers. It helps us keep your website from becoming the lowest hanging fruit on the tree. By running Monitor, you’re going to stay ahead of attackers . . . if you’re running Monitor, you’re protected.”

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get Quote for Eskimming Detection

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000