Online skimming attacks have increased in intensity and complexity and have been used to steal data from the websites of some of the world’s most valuable brands. Ensighten’s security capabilities will mitigate these attacks, even when the breach is within a supply chain technology.
Unlike other solutions, Ensighten’s technology does not rely on legacy signature-based mitigation approaches or even attempts to simply lessen the burden of security capabilities, such as CSP and SRI, but instead utilizes modern, cutting-edge browser-based detection to prevent attacks from taking place.
What are online skimming attacks?
Online skimming is a website attack method designed to steal user data by injecting malware into a web page, often by compromising a third-party script. Skimming incidents have increased dramatically over the past few years and a number of significant brands have experienced breaches resulting in millions of consumers having their personal information stolen.
Online skimming attacks are dangerous and should be a serious security concern because:
- Your infrastructure does not need to be breached for your website to be exploited; attackers can target JavaScript files within the many third-party libraries utilized on your website
- The browser is what processes the JavaScript files and there is often no visibility into the malicious activity, making detection difficult
- You are liable for severe compliance penalties resulting from a skimming attack
Read our 15-minute guide to client-side online skimming protection
How an online skimming attack happens
For a skimming attack to be successful, cybercriminals will inject malware into your website. However, they can also target one of your third-party vendors. These are often outside of your control and an attacker does not actually need to infiltrate your servers to perform a successful exploit.
The risk of third-party JavaScript
In order to deliver rich and immersive, modern sites, organizations utilize third-party JavaScript to enable components such as virtual bots, shopping carts, credit card processing and more.
When a website is accessed by a user, their browser fetches content from the organization’s web servers, known as first-party content, along with content from numerous other online locations, known as third-party content. To the browser, however, all content is treated equally – regardless of whether it is first or third party. That is, any code can read any data, irrespective of where the code or data originated. While you may invest in significant efforts to secure your own infrastructure, if an attacker is able to breach one of the third-party libraries, then they are able to steal customer data as they interact with your website.
Preventing online skimming
With the many third-party components forming part of almost every website, most organizations understand that it is not a matter of if, but when their site will be impacted by skimming malware. Short of creating and maintaining every single line of code in-house, organizations cannot guarantee that they are protected against skimming attacks.
The only solution to mitigating online skimming is to prevent attackers from being able to exfiltrate data from your website by implementing an allowlist of trusted and validated network locations. Should a third-party vendor become breached, the attackers would be unable to extract any data.
Learn more about Ensighten and our solution

Video demo

Case study
