Rise in E-Skimming Threats Targets Holiday Shoppers’ Payment Data

As the holiday shopping season begins, experts are raising alarms about e-skimming, a sophisticated cyber threat that can compromise customers’ payment information before they complete online transactions. This malicious practice involves injecting JavaScript code into legitimate e-commerce sites, allowing cybercriminals to steal sensitive data, including credit card numbers and personal identification, without the victim’s knowledge.

The Annual Payment Fraud Intelligence Report indicates that e-skimming is becoming increasingly prevalent, nearly tripling in activity from 2023 to 2024. The report highlights that over 11,000 unique e-commerce domains were newly infected, marking the highest total on record. “Attackers implant JavaScript skimmers that run silently in your browser, capturing full card numbers, names, CVVs, email addresses, expiry dates, and other sensitive data in real time,” said Marijus Briedis, Chief Technology Officer at NordVPN. “You can shop on a legitimate site and still have your details siphoned with no pop-up, no warning — just silent theft.”

The Mechanics of E-Skimming

E-skimming exploits the complexity of modern checkout pages, which often load various third-party scripts for analytics, payment processing, and marketing. While these vendors are typically trusted, their code can provide an entry point for cybercriminals. Once a skimmer is implanted, it can operate invisibly in the background, harvesting data even before a customer clicks the “Submit” button.

This method of data theft thrives on the lack of visibility that merchants have over the scripts running on their sites. A single compromised vendor or outdated plugin can enable a skimmer to infect multiple e-commerce platforms. The stolen information typically enters a fast-paced underground economy where it is sold on dark web marketplaces for as little as $9, equivalent to the price of movie tickets. Purchasers of these stolen credentials utilize them for various illicit activities, including fraudulent transactions and account takeovers.

Protecting Yourself from E-Skimming

As online shopping becomes more prevalent, consumers need to take proactive measures to safeguard their payment information. Briedis offers several important precautions:

– Use virtual or single-use cards, or payment services like Apple Pay and Google Pay, which do not expose your actual card number.
– Avoid saving card details on websites, even those you trust, and disable browser autofill for payment fields.
– Install security tools that block malicious scripts and trackers in real time to enhance your online safety.
– Stay vigilant for unusual browser extensions or unexpected pop-ups during checkout.
– Regularly review bank statements for any unfamiliar transactions.

The increasing trend in e-skimming highlights the need for both consumers and e-commerce businesses to remain vigilant this holiday season. As cyber threats evolve, adopting these protective measures can help mitigate the risk of becoming a victim of online fraud.