Skimming
Also known as: Magecart, e-skimming, web skimming
Theft of payment-card data at the point of entry — physical skimmers on ATMs and POS terminals, or malicious JavaScript (web skimming / Magecart) injected into checkout pages.
Last updated:
What is skimming?
Skimming is the theft of payment-card data at the moment the cardholder enters it. Two distinct attack surfaces share the name:
- Physical skimming — a hardware overlay on an ATM or fuel-pump card reader, often paired with a pinhole camera or fake PIN pad, captures the card stripe and PIN. "Shimmers" are a newer variant that reads chip-card data from inside the slot.
- Web skimming / Magecart / e-skimming — malicious JavaScript injected into an e-commerce checkout page exfiltrates card numbers, CVVs, and billing addresses to an attacker-controlled server. Named after the Magecart groups that industrialized the technique against Magento and other shopping platforms starting around 2015.
How web skimming works
Attackers compromise either the merchant site itself (via a vulnerable admin plugin, a stolen CMS password, or a leaked SSH key) or a third-party script the site loads — analytics snippets, review widgets, A/B test libraries, chatbots. Once the attacker can modify a script the checkout page loads, they add a few hundred bytes of JavaScript that watches the payment form and POSTs each keystroke to a server they control. The card data then feeds underground carding markets.
Detection
- Subresource Integrity (SRI) on every third-party script stops modified scripts from executing
- Content Security Policy (CSP) with reporting catches connections to unexpected exfiltration endpoints
- Monitor third-party script hashes — unexpected changes are the earliest signal
- IP reputation on exfil endpoints — the domains and IPs used for card drops are shared across campaigns
Check whether a suspicious exfiltration domain's IP has abuse history with our IP abuse report checker.