What is E-Skimming?

E-skimming is the injection of malicious JavaScript into e-commerce checkout pages to steal payment card data and personally identifiable information in real time as customers enter it. Also known as web skimming, digital skimming, formjacking, or Magecart attacks, e-skimming operates invisibly from the victim’s perspective. The checkout page looks and functions normally while the injected script captures every keystroke in payment fields and sends the data to an attacker-controlled server.

Magecart attacks surged 103% in just six months during 2024-2025. In January 2026, a Silent Push investigation exposed a skimming network that had been operating undetected since 2022, targeting cardholders across American Express, Mastercard, Diners Club, Discover, JCB, and UnionPay networks.

E-Skimming Definition

E-skimming refers to the theft of payment card data and PII from e-commerce sites through malicious JavaScript injected into the checkout page. The term covers multiple attack names that describe variations of the same technique: Magecart (a specific group and attack methodology), formjacking (the form-level interception), web skimming (the broader web-based approach), and digital skimming (a general term used in compliance contexts including PCI DSS).

The key characteristic is client-side execution: the malicious script runs in the user’s browser, not on the server, which means server-side security controls do not detect or block it.

How E-Skimming Attacks Work?

E-skimming follows a three-stage attack flow:

• Website compromise

The attacker gains access to the target website’s codebase, often through exploiting CMS vulnerabilities, compromising third-party JavaScript providers, or gaining access to the hosting environment through stolen credentials.

• Script injection

A small JavaScript snippet is inserted into the checkout page or injected through a compromised third-party script that the legitimate site loads. Because the injected code often mimics the structure of legitimate analytics or payment scripts, it blends into the site’s existing code.

• Real-time data capture and exfiltration

When a customer fills in the checkout form, the injected script captures the entered data, including card numbers, CVV codes, billing addresses, and names, and transmits it silently to an attacker-controlled server. The legitimate checkout process completes normally, so the victim has no indication anything went wrong.

E-Skimming vs Magecart vs Formjacking: What’s the Difference?

These terms are often used in same conversation but have slightly different scopes:

Notable E-Skimming Case Studies

British Airways (2018)

A Magecart attack on British Airways’ booking pages ran undetected for two weeks, compromising the payment details of approximately 500,000 customers. The resulting GDPR fine was initially set at £183 million, though it was later reduced to £20 million. The case established e-skimming as a significant regulatory risk, not just a security concern.

Ticketmaster (2018)

Attackers compromised a third-party customer support chatbot script used on Ticketmaster’s payment pages. This was one of the earliest high-profile supply chain e-skimming incidents, demonstrating that organizations could be compromised through their vendors.

Silent Push Investigation (2026)

A network of skimming domains had been operating since 2022 without detection, targeting major payment networks including American Express and Mastercard. The investigation highlighted how long these operations can persist when monitoring is inadequate.

E-Skimming and PCI DSS Compliance

PCI DSS 4.0.1 introduced two requirements specifically addressing e-skimming risk:

Requirement 6.4.3 mandates that organizations manage all payment page scripts, maintaining an inventory of all scripts on payment pages, ensuring each script has a documented business justification, and verifying script integrity through methods such as Subresource Integrity (SRI) hashing.

Requirement 11.6.1 requires ongoing detection of unauthorized modifications to payment pages, including unauthorized changes to HTTP headers and the content of payment pages.

These requirements effectively mandate the controls that security experts had been recommending for years in response to the Magecart threat. Organizations subject to PCI DSS must implement e-skimming detection as a compliance obligation.

Magecart-as-a-Service on the Dark Web

E-skimming has evolved into a commercial cybercrime model. On Dark Web forums and Telegram channels, buyers can purchase ready-made Magecart kits that include the JavaScript skimmer, exfiltration infrastructure, and documentation. Stolen card data collected by these kits is then sold on the same marketplaces, with prices varying based on card type, available balance, and geographic origin.

This commercialization has lowered the technical barrier significantly. Attackers do not need to write their own skimming code or build their own infrastructure. They pay for access to a working kit and focus on finding vulnerable e-commerce sites to compromise.

SOCRadar’s threat intelligence monitors these marketplaces and tracks when new Magecart kits enter circulation, providing advance warning to security teams.

How to Detect E-Skimming Attacks?

Step1: Customer complaint signals

Unexpected card fraud reported by customers shortly after they shopped on your site is often the first indicator. A cluster of fraud cases linked to a single merchant is a strong signal.

Step 2: JavaScript monitoring

Tools that continuously compare the JavaScript loaded on payment pages against a known-good baseline will alert when unauthorized scripts appear.

Step 3: Content change detection

File integrity monitoring extended to web application code, and dedicated website change detection services, flag modifications to payment page files.

Step 4: Network traffic analysis

Web Application Firewall logs and network monitoring can identify outbound connections to unfamiliar domains that may be exfiltration servers.

How to Prevent E-Skimming

Content Security Policy (CSP)

A CSP header instructs the browser on which domains are permitted to load scripts on your pages. This does not prevent script injection from within permitted domains but significantly limits where exfiltrated data can be sent.

Subresource Integrity (SRI)

SRI attributes on script tags provide a cryptographic hash of the expected script content. If the loaded script does not match the hash, the browser blocks execution. This is highly effective against attacks that modify third-party scripts.

Web Application Firewall

A WAF provides a layer of protection against the initial compromise that enables script injection.

Third-party script auditing

Maintain an inventory of every third-party JavaScript resource loaded on payment pages, validate the necessity of each, and monitor each provider’s security posture.

PCI DSS compliance

Requirements 6.4.3 and 11.6.1 provide a structured framework for e-skimming prevention and detection.

How SOCRadar Threat Intelligence Detects E-Skimming Campaigns?

SOCRadar’s Digital Risk Protection and Attack Surface Management capabilities help organizations identify exposure to e-skimming. Dark Web monitoring tracks Magecart kit releases and card data markets, providing intelligence on campaigns before they affect customers. Attack Surface Management identifies internet-facing e-commerce infrastructure carrying known vulnerabilities that skimming campaigns commonly exploit.

Frequently Asked Questions

What is e-skimming?

E-skimming is the theft of payment card data from e-commerce checkout pages through malicious JavaScript that runs invisibly in the customer’s browser.

What is a Magecart attack?

A Magecart attack is a form of e-skimming originally associated with a specific threat actor group. The term now broadly refers to any e-skimming attack using JavaScript injection on payment pages.

How does e-skimming differ from phishing?

Phishing tricks users into submitting data to a fake site. E-skimming intercepts data submitted to the real, legitimate site, making it much harder for users to detect.