E-Skimming: The Growing Threat to Higher Education

Higher education institutions face unique cybersecurity challenges due to their diverse digital services, from academic systems to healthcare and retail-like operations on campus. One pressing threat is e-skimming, also known as web skimming, digital skimming, or Magecart attacks, where malicious code is injected into a website to steal sensitive information in real time.

The Extensive Digital Footprint of Universities

Campus environments function like small cities with numerous digital touchpoints handling sensitive data, including:

• Campus hospitals and insurance portals: Managing patient records and online payments
• Tuition payment systems: Processing student and parent financial transactions
• Campus bookstores and e-commerce sites: Handling credit card purchases
• Dining and meal plan platforms: Allowing students to add funds online
• Events ticketing: Processing payments for sports and entertainment
• Donation systems: Capturing contributions from benefactors

Each service represents a potential attack surface for data theft at the point of entry.

Recent Attacks on Educational Institutions

The education sector has already experienced significant e-skimming attacks. A prominent example was the “Mirrorthief” campaign from 2019, which targeted hundreds of campus stores across the United States and Canada. In this attack, a cybercrime group breached a third-party e-commerce platform called PrismWeb, used by many college bookstores, and injected a malicious skimming script into the checkout pages. Consequently, 201 online campus stores serving 176 U.S. and 21 Canadian colleges were all loading the same credit card skimmer on their payment page.

In 2020, a large university disclosed that its online shop had been compromised by an e-skimmer for over nine months. During that time, attackers had planted malicious code on the site, which silently collected names, addresses, and credit card numbers from approximately 2,600 customers who made purchases.

The Third-Party Service Provider Challenge

Higher education institutions typically work with numerous third-party service providers (TPSPs) to deliver various digital services across campus. A Source Defense analysis of the banking and financial services sector, which faces similar challenges to higher education, reveals that institutions on average have 28 third-party scripts operating across their digital properties, representing a 27% increase since 2022. This rapidly expanding digital supply chain creates significant security vulnerabilities.

This challenge is compounded by:

• Decentralized Procurement: Different departments often independently contract with TPSPs, making centralized oversight difficult.
• Limited Vendor Transparency: Many TPSPs don’t provide adequate documentation about their compliance or security practices.
• Nested Third Parties: Many third-party services incorporate fourth or fifth-party components, creating a complex web of dependencies.
• Evolving Services: TPSPs frequently update their services, potentially introducing new scripts or behaviors without notification.

PCI DSS 4.0: New Requirements for Browser-Side Security

The latest Payment Card Industry Data Security Standard, PCI DSS version 4.0, introduces new requirements explicitly aimed at mitigating e-skimming on payment pages. Higher education institutions that process credit card payments must comply with these requirements, which become mandatory in March 2025.

Two critical new requirements address e-skimming security:

• Requirement 6.4.3 – Payment Page Script Management: Organizations must ensure that “all payment page scripts that are loaded and executed in the consumer’s browser” are properly managed.
• Requirement 11.6.1 – Tamper Detection for Web Pages: Organizations must deploy a change- and tamper-detection mechanism to alert personnel to unauthorized modifications of the payment page content or HTTP headers, as received by the consumer’s browser.

Best Practices for Higher Education Institutions

To protect campus websites from e-skimming attacks, implement a multi-layered approach:

1. Develop robust TPSP management: Create a centralized process for vetting, inventorying, and monitoring all third-party service providers.
2. Minimize payment page scripts: Reduce the number of scripts running on pages that handle sensitive data.
3. Deploy e-skimming security: Implement solutions that monitor and control script behavior in real-time.
4.  Implement continuous page integrity scanning: Regularly scan critical web pages for unauthorized content.
5. Enforce secure coding practices: Ensure campus web developers follow security best practices.

Final Thoughts

Higher education institutions must recognize websites as frontline targets for data theft. With their blend of retail, finance, and healthcare functions, universities present a wide attack surface that criminals actively target.

By implementing effective TPSP management, controlling what executes in the browser, monitoring for changes, and limiting exposure, institutions can protect their digital ecosystems and maintain compliance with security standards.

In an era where digital interactions are integral to campus life, investing in e-skimming security will pay dividends in trust and safety for all who rely on these online services.

ScriptSafe ^™, CampusGuard’s front-line defense solution for data security, can enhance your institution’s client-side security posture, protect sensitive customer data, and maintain compliance with industry standards. Contact us today to request a demo.