IT Security Outsourced IT

Web Skimming

What is Web Skimming?

The term “skimming” has generally referred to the illicit financial accounting procedure of returning lower invoice totals than were actually collected, allowing criminals to “skim” money off the top of the invoice. Web skimming refers to a hacking technique that targets digital businesses by manipulating client-side web applications to steal their personal and financial details. These cyberattacks are often initiated by placing malicious JavaScript (JS) code strategically on the payment and checkout pages where users divulge their personal and financial details. Two main entry points for web skimming cyberattacks are:

Direct cyberattacks. For this entry point, a cyberattacker plants skimming code/malware directly on the website that they plan to exploit, using zero-day exploit flaws or brute-force techniques to locate the correct admin details and credentials. This attack requires significant preparation and coordination.

Website software supply chain cyberattacks. For this entry point, malware is injected into a trusted third-party hosting site, after which the malware is executed via all websites using that third-party application. Due to the extensive use of third-party applications, this method has become more common.

Web skimming cyberattacks using website software supply chains are executed through third-party HTML/JavaScript code delivered to the website. Since the website has an entirely different repository that is not under the owner’s control, supervision, or maintenance, cyberattackers find this to be an attractive target as one successful third-party application cyberattack can give the cyberattacker unauthorized access to all third-party libraries. Once they have access, cyberattackers then inject skimming code into one of the existing JS files. After that, when a website user opens the website in a browser, the malicious code then gets downloaded to the user’s browser, alongside the legitimate third-party code. As the website owner does not monitor or control third-party code, they may not have logs or indications of any malicious activity at all. After the payload is executed, the script proceeds to harvest personal and financial details which they can then use for fraudulent transactions or to sell on the dark web. The most common pages for web skimming are checkout and payment pages, and web skimming malware may exist there for a long time before being detected.

To avoid becoming a victim of web skimming:

  • Identify all third-party ecommerce and online advertising vendors
  • Monitor third-party scripts
  • Monitor code changes on websites
  • Keep software up to date and regularly updated with the latest security patches
  • Implement client-side web skimming solutions
  • Use multi-factor authentication
  • Use firewalls
  • Deploy a bot management solution to prevent browser-based bot cyberattacks