How Web Skimming Attacks Happen and What You Can Do to Protect Against Them

April 9, 2020 - Ensighten

Web skimming can have serious consequences for an organization ranging from fraud claims and brand damage to considerable compliance penalties as a result of CCPA and GDPR violations. Web skimming is a specific type of client-side attack, in which hackers inject malicious JavaScript into a website by exploiting holes within the website  code or by infiltrating third-party technologies.

Once online skimming malware has been injected into a website, it is then delivered to a visitor's browser along with the regular website HTML and other first-party code where it is executed. All code, regardless of whether it is first- or third-party, has the same access to any user data being entered and a skimmer will look for sensitive user data and steal it. This data is then exfiltrated, sent to the cybercriminals and later sold on the dark web.


The browser is an attractive attack surface

With modern websites being rich and immersive, they often contain thousands of lines of code and heavily utilize open-source and third-party components. With all this complexity, the attack surface of a typical website is considerably large and with organizations becoming more competent with their server and origin protections, the place where the website is rendered, the browser, is now a new frontier.

It is not just the website complexity that makes online skimming attacks somewhat easy to perform, but the usage of third-party components. Most websites utilize between 40-60 third-party JavaScript libraries with many of them being delivered from external repositories. When examining the network activity of a site, it is common to see code being delivered from Facebook, Google, Twitter and a myriad of other, lesser known locations.

While utilizing code from third-party repositories can certainly help development and sometimes bring optimizations around performance, doing so somewhat assumes that the third party has implemented adequate security measures to protect the hosted code. If a cybercriminal is able to breach one of the third-party code providers that is utilized within  a website and inject their malware, then the malicious code would be delivered to the website’s visitors and would be able to capture user data without even having to breach the organization’s  web servers.



Online skimming prevention

There are several things an organization can do to help mitigate potential web skimming ranging from basic security measures to the use of security technologies designed specifically to mitigate the threat.

Organizations should examine their security practices around areas such as patching to ensure that potential loopholes or exploits are closed. Patching does not just apply to the server’s operating system, but also the delivery stack and any elements used within the website, including third-party libraries.

There are a number of security capabilities built into modern browsers, such as CSP (Content Security Policy) and SRI (Sub Resource Integrity), which organizations should examine to see if they can be applied to their codebase. While these technologies offer a certain level of protection, they do often come with a high management burden putting many off their use.


Ensighten MarSec™

Ensighten’s website security technology enables organizations to protect their online properties against data theft and exfiltration; the purpose of web skimming attacks. By adding a single line of code, Ensighten delivers a security layer that prevents all code from sending data to unauthorized network locations.

Ensighten provides a comprehensive client-side security offering which enables you to prevent not only  online skimming, but also JavaScript injection, malicious ad injection and other areas such as cross-site scripting (XSS).

Ensighten is the leader in preventing client-side data exfiltration and theft whilst at the same time providing technology which allows organizations to ensure that their assets are CCPA and GDPR compliant.

Get in touch to find out more about how you can protect your website from data leakage or theft while complying with global data privacy legislation.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Online skimming guide

Learn more about online skimming attacks and how you can secure your website against malicious JavaScript code

Read Now

Magecart blog

Learn more about the most talked about cyberattack group and how you can protect against Magecart attacks

Read now

Online demo

See the Ensighten solution in action to learn how we can help protect against web skimming attacks

Book Now