Digital skimmers: what they are, how they work, and how to stay protected against them

Digital skimmers: what they are, how they work, and how to stay protected against them

As more and more people turn to online stores to make their purchases, ecommerce sites are becoming more attractive targets for attackers looking to steal customer data. And with attackers constantly coming up with new ways to compromise sites, it’s more important than ever to understand the latest security threats so that your customers’ credit card numbers don't end up among the tens of millions for sale on illicit dark-web marketplaces.

One of the more increasingly prevalent threats to ecommerce sites is digital skimmers. In this article, we’ll break down what digital skimmers are, how they work, and what you can do to protect your site from them.

What are digital skimmers?

Digital skimmer is a term used to describe malicious code that attackers add to checkout pages of ecommerce sites. The code can detect a customer’s credit card number inputted on a checkout page, and sends a copy of the data to an attacker controlled server before the customer proceeds through the remainder of the checkout process.

Because of the discrete nature of the attack and additional techniques that enable attackers to hide their code, digital skimmers can go undetected for months or even years. During that time, an attacker can potentially compile a huge collection of all of the credit card data passing through the site.

Digital skimmers have not only been the center of numerous high profile breaches involving companies like Ticketmaster, Tupperware, and British Airways, but have also been used in large automated campaigns against smaller ecommerce sites on platforms such as Magento.

Whether you lead a security team for a large enterprise or run a small business through an ecommerce platform, it’s crucial to understand how digital skimmers can attack your site in order to protect your business and customers.

How do digital skimmers work?

For an attacker to inject a digital skimmer on your site, they need to accomplish two things. First, they need to find a way to add script code to the pages of your site that take credit card data. They also need to hide the script code so it can extract data without detection from administrators or security analysts.

Here are 3 ways attackers can add digital skimmers to your site and how to prevent them.

Exploiting vulnerabilities

Attackers often exploit known security vulnerabilities associated with frameworks or other technologies in use on the target site. A recent campaign carried out by a hacking group called MageCart exploited vulnerabilities in the Magento ecommerce framework to automatically inject digital skimmers on online stores. Keep up to date on vulnerabilities associated with your site’s technology stack, and perform regular vulnerability scanning to detect and remediate them fast.

Compromising admin accounts

While it requires more effort, attackers can also compromise your site by targeting site administrators directly. Compromised admin accounts give an attacker full control of your site, so follow account security best practices such as picking strong, unique passwords and enabling 2-factor authentication.

Replacing existing scripts

Attackers can even take over existing scripts on your site to replace useful code with malicious code. While hard to detect or prevent, these code supply chain attacks are also the most difficult for attackers to carry out. Consider implementing Subresource Integrity HTML attributes to make sure the code being served to your site from content distribution networks hasn’t been altered.

Once attackers have added a digital skimmer to your site, there are several techniques they may use to disguise it.

Many attackers will choose a name for the skimmer script that blends in with the other scripts on your site. With so many analytics and integration scripts running on sites now, names like “script-analytics.com” are easy to overlook. Make sure to read through script names and URLs carefully for typos or suspicious hints.

Digital skimmers can also be obfuscated by encoding the Javascript code itself into hexadecimal. This type of encoding makes the code difficult to read, but is also a great indicator that a file may be malicious. Benign scripts aren’t usually encoded, so if you find a script on your site that is, it may be an indicator that the file is malicious.

Additionally, many samples of digital skimming code include checks that enable the code to make sure it isn’t being investigated with a debugger, or even self-remove after execution.

These advanced techniques don’t prevent the code from being analyzed by experienced security researchers, but can hide it from those less familiar with malware. If you find suspicious code on your site, have a security expert look at it as soon as possible.

How to protect your site from digital skimmers

There are several ways to guard your site against the threat of digital skimmers.

Scan for vulnerabilities regularly

Make sure any vulnerabilities that attackers could use to add skimming code are detected and remediated swiftly. Run a vulnerability assessment regularly to make sure your site doesn’t have vulnerabilities that can be exploited as part of a larger automated campaign.

Take inventory of your attack surface

Inventory what is running in your environment and on your site. A new cookie, XHR request, or script on your site can suggest that unknown code is running, so use cloud monitoring tools to make sure only authorized code is running on your site.

Follow web-app security best practices

Implement web-app security best practices, like security headers and subresource-integrity. These can not only prevent skimming code from working (i.e. blocking iFrame) but also prevent skimming code from getting on your site (i.e. SRI protects against CDN takeover). Regular dynamic application security testing helps identify gaps in site security and ensure all best practices are met.

Conduct penetration tests

Perform a periodic penetration test of your site. Having security experts manually test your site is the best way to make sure you don’t have security flaws and that your site and its users are safe. Because certain classes of vulnerabilities aren’t detected by automated vulnerability scanning, hands-on penetration tests are the only way to make sure all vulnerabilities on your site are accounted for.

Now that you have a better understanding of how digital skimmers work, keep your business and customers protected from this growing threat with Halo Security's attack surface management solution. With tools like discovery scanning, server scanning, and risk scores available in one user-friendly dashboard, Halo Security makes cloud security easy and intuitive.


Editor's note (August 2022): This article was originally posted on the TrustedSite blog in Oct 2020. It has been updated for the Halo Security blog.