Ecommerce Skimming

Article Payments & Treasury Solutions
Ecommerce Skimming


Ecommerce payment card skimming, or formjacking, is an attack in which cybercriminals inject malicious JavaScript code into website payment page forms. In a typical intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted applications to upload the malicious code. As users enter in their payment details, the code steals customer payment card information before it is encrypted and sent to card processors.

We have seen hacks on e-commerce platforms rapidly increase since the introduction of EMV cards, with web-application based payment card fraud set to overtake traditional payment fraud in the not so distant future, according to Verizon’s 2019 Data Breach Investigations Report. With COVID-19 and the ability to take in-person payments halted at most locations, many organizations have turned to their ecommerce websites as their primary method of accepting payment cards. This means cybercriminals are focusing their efforts here even more.

If your organization uses web applications to store, process, or transmit sensitive data, those systems could be vulnerable to hackers. If your website is hosted by or uses a third-party vendor solution, you are still at risk because these solutions are used by multiple organizations which makes them even more attractive to attackers. Once access is gained to a third-party application, it may allow an attacker to compromise multiple websites at the same time. A breach of a third-party’s ecommerce web servers can still cause significant headache and reputational damage for your organization.

Magecart is the most widely-known group responsible for payment card skimming attacks and are best known for hacking into Magento shopping cart websites. Why is this important to note? The original end of support of Magento version 1 was November 2018, however, this was revised to June 2020. Failing to migrate your Magento-based websites will result in your merchants falling out of compliance with the PCI DSS, they will no longer receive security patches, and will be more vulnerable to breaches.

Unfortunately, without the proper controls in place, skimming attacks can be very difficult to detect so the best approach is a layered defense. Anti-virus and anti-malware software provide limited protection from known signatures, but if the virus is new it can slip by undetected. File integrity monitoring solutions will alert you when any changes are made to the designated files or folders, but require that you have the targeted file tagged for monitoring; if the impacted file was not being monitored then there will be no alert. Ensuring that all operating systems and software applications are being updated with the latest security updates and patches is, of course, part of the defensive plan as well.

Another way to identify any potential issues before the bad guys do is through web application penetration testing. These tests provide a real-world look at the risk and potential impact to your organization should there be a breach of your ecommerce site. As the saying goes, forewarned is forearmed.

If you have questions regarding how to ensure your ecommerce payment sites are secure, please reach out to us.

Some additional guidance from the Offensive Security team:

[Wheeler]: Unfortunately, there is no silver bullet for security, so we must resort to a layered approach. If we bolster our defenses through a single protection method, attackers are going to attack from a different angle. This is true for any system, application, or target of value. A few additional steps that I would recommend in addition to the protections already mentioned is to always have backups of your website, and preform periodic, manual code review of any of your payment pages. Should any of your defenses fail, the backups will help in a disaster recovery situation to quickly rebound and limit your down time. The periodic, manual code review should help to identify any code that doesn’t belong; keep in mind that attackers often times will obfuscate their code or call it from another location on the internet. It won’t be as obvious as spotting a <malicious code> tag.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.