New Cybercrime called E-Skimming is Targeting Businesses with Online shopping Websites

Haniah Shafi
6 min readFeb 17, 2020


Hackers now linger around shopping carts to steal Payment card information

Photo by Negative Space from Pexels

It’s 2020 and chances are you’ve never heard of E-skimming before. But it’s time you do and take preventive steps to secure your business or if you’re a customer, secure your card details.

We live in a world where online selling and buying is not uncommon. It’s also impossible to give up on shopping online in this digital age since products and services, even electricity and maintenance bills offer online payment options.

We have all heard of skimming devices that hackers fit on ATM machines and EPOS devices that clone card details.

However, this new threat allows cybercriminals to do something similar on checkout pages online and steal personal and payment information from anywhere across the globe.

What is E-skimming?

E-skimming, also known as ‘Magecart’ attack, is a process in which hackers gain access to the online store of a company and inject skimming code onto payment card processing pages of the website.

E-skimming captures the following:

· Personal Information such as Name, Date of Birth, Location, Address

· User Login credentials

· Administrative credentials

· Credit Card/Debit Card information

· Account Number

Once the information is captured, it is sent to a hacker’s domain. It was also found that skimming campaign involves multiple hacking groups that collaborate and develop techniques to target vulnerable websites (CNET, 2019). Since it does not require a physical access, the cybercriminals involved are based in multiple locations across the globe.

How does it work?

Hackers can compromise websites directly by breaking into their web server or indirectly by breaking into a common server supporting many websites to compromise them all (CNBC 2020).

A Malicious Script called “Magecart” containing skimming code was involved in all E-skimming attacks. Hence, the name “Magecart Attacks”. This script was detected by many cybersecurity experts such as Willem de Groot (Security Forensic Analyst) and Yonathan Klijnsma (Threat Researcher at RiskIQ).

According to researchers, hackers introduce the skimming code onto target websites after detecting vulnerabilities. They can gain access to the network using a phishing email or by hacking administrative credentials which can be used to place the code inside the online store using a compromised account (Source: NewsHerald).

According to RiskIQ, hackers compromise third-party suppliers by hiding the skimming code in JavaScript loaded by target websites such as in case of the Ticketmaster data breach in 2018. Moreover, compromising these suppliers can give hackers 10,000 victims instantly.

The skimming code captures credit card information and user account information, sends it to a server connected over the internet using the Hacker’s domain.

Cybercriminals use this information to make fraudulent transactions or monetize by selling credit card information over dark web.

Steps involved in an E-skimming Attack

Previously, E-commerce platforms using Magento were targeted. However, Hackers have upgraded their methods and can now target any business that accepts online payments on their website. Regardless of the fact that it runs on an open-source platform like Magento or on a cloud-hosted service (Source:ZDNet).

How to Detect It?

According to Mike Browning (Senior Manager at RiskIQ; Source: Detroit Free Press, 2019)

“Customers have no way of Detecting Magecart”

Currently, it’s impossible for customers to detect if a website is compromised, as skimming code blends into a company’s payment page and does not show any signs. The compromised site looks normal to customers.

Recent Cases:

E-skimming has impacted businesses in retail, travel and entertainment industries. Incidences of E-skimming date back to 2016. However, the attacks have escalated in the last two years 2018 and 2019. Notable cases illustrated in Infographic below:

Recent Cases of E-skimming

1. Macy’s, an American department store chain (October 2019)

Macy’s revealed in their official statement, that attackers installed a Magecart script onto two pages of their official website: and checkout page. The unauthorised computer code collected customer names, credit card numbers, addresses, phone numbers, card verification codes and expiration dates.

“Macy’s Hit by Magecart Card-Skimming Attack” -CISOMAG 2019

2. Puma, Australian website of Top Sports Brand (April 2019)

Security Forensic Analyst Willem de Groot found skimming malware Magecart code on Puma’s Australian store site that was logging credit card numbers, names and addresses.

Shocking Discovery: The detection tool developed by de Groot found 77 other stores compromised with the same malware. It had adapters for 50 payment gateways allowing hackers to deploy it quickly on new sites.

“Puma Australia shoppers hit with credit card hack, researcher says”- CNET 2019

3. British Airways, Airlines (August 2018)

According to TechCrunch, British Airways website was compromised by the same malware and details of over 380,000 credit cards were stolen.

Yonathan Klijnsma: Threat Researcher at RiskIQ found the injected code on airline’s global site that scraped credit card information, names, billing addresses and bank details on the payment page and forwarded it to a fake site run by hackers.

“British Airways breach caused by credit card skimming malware” -TechCrunch, 2018

4. Ticketmaster, a Ticket Sales and Distribution company (June 2018)

Magecart attack targeted Ticketmaster indirectly by compromising the JavaScript code of its supplier Ibenta. Ticketmaster heavily relies on third-party agents for customer support.

Ticketmaster was applying the JavaScript to its payment page. This allowed hackers to extract login-credentials, names, addresses, email IDs, phone numbers and payment card details of customers who bought theatre, concert and sporting event tickets between February and June 2018 (The Guardian, 2018).

“Ticketmaster warns hackers may have stolen up to 40,000 customers’ info and card details”- The Sun, 2018.

In addition, utility companies and third-party vendors that provide web analytics and advertisements such as PushAssist have been a target for E-skimming attacks.

How to Prevent It?

Customers can prevent e-skimming by:

· Using credit cards instead of debit cards whenever possible, as it is easier to report frauds and get money returned.

· Using one-time use credit cards

· Using a Virtual credit card that creates a unique credit card number for specific transactions

· Activating transaction alerts on all debit and credit cards to get instant alerts from bank in case of fraud.

· Regular monitoring of credit card and bank statements to spot any fraud activity.

· Enabling two-factor authentication for all devices.

· Use a password unique to a shopping site to avoid hacking of multiple personal and social accounts.

FBI issued a warning against E-skimming issued on 22 October 2019. According to which, Small and Medium-sized Businesses and Government Agencies can prevent E-skimming by:

· Updating and Patching all systems with the latest security software and strong Firewalls. Using up-to-date Anti-Malware and Anti-Virus software.

· Changing default login credentials on all systems.

· Educating employees about safe cyber practices. A most important one being not to click on links or attachments in messages.

· Segregating and Segmenting Network Systems to limit the ease with which cybercriminals can move from one to another.

Other precautions include:

· Monitor and Analyse Web Logs to look for unknown domains.

· Regular checks on JavaScript code on company and partner web pages to look for edits.

· Vendor Assessment

· External Penetration testing

· Ensuring your company is PCI DSS compliant to protect cardholders against misuse and optimize the security of debit, credit and cash card transactions.

In case you have been attacked by E-skimming, identify the source of skimming code to determine its access point and save a copy of the malicious script or loader domain and contact law enforcement team urgently.



Haniah Shafi

Digital Entrepreneur | Brand Specialist | Researcher. I write on Cybersecurity, Digital Forensics, Business and Self-Help.