Web skimming attacks

Web skimming attacks, also known as e-skimming or online data skimming, are responsible for millions of dollars in damages to business each year from theft and fraud.

What are web skimming attacks?

Web skimming attacks, such as Magecart attacks, typically inject malicious JavaScript into a web application or website, targeting vulnerabilities within the code or by exploiting a third-party service provider. The main aim of these types of attacks is to plant skimming code that monitors for data being entered into specific form fields, such as a password, social security number, or a credit card number, as well as data that is embedded into cookies.

Today’s rich, dynamic web experiences are delivered using a combination of HTML, CSS, and JavaScript from both internal teams and third-party vendors. However, third-party JavaScript has the same access to resources and content that your own first-party code has, and attackers have realized it’s easier to infect third parties that have weaker security in place as a way to gain access to more valuable targets. And unfortunately research shows businesses are poorly prepared to deal with web and e-skimming attacks.

In 3 steps, how web skimming attacks infect your websiteRelated Webinar

37 percent of websites have at least one JavaScript vulnerability

Over 80 percent of websites are susceptible to infiltration from a malicious script

Sources: fortune.com, verizon.com


How a web skimming attack works

Attackers inject malicious JavaScript into your website by exploiting a vulnerability in your first-party code or a third-party script that is present on your website.

Shared libraries injected with the malicious script are uploaded to your web app or website.

Your customer accesses a compromised page in your web app and unwittingly loads a skimming script in their browser.

When they enter sensitive data like credit cards, social security numbers, or passwords into a form, it is sent back to the attacker’s server.

The hackers receive your customers’ personal data.

How a skimming attack works

Get protected with


Web skimming isn’t just an eCommerce problem — all online businesses are a target

Web skimming attacks like those carried out by Magecart have been making recent headlines for targeting eCommerce websites in an attempt to plant skimming code to steal credit card numbers. Magecart skimming code has been implicated in over 2 million web skimming attacks to date — but the reality is the number could be much higher.

4 web security challenges you need to addressRelated Blog

However, with the increasing digitalization of everything in modern daily life, e-skimming is not specifically an eCommerce problem. Any website that collects valuable personal data, such as user credentials, email addresses, birth dates, and social security numbers, could be a potential target. And there are serious consequences that don’t take steps to protect themselves or their customers.

Stop Magecart: Defense against the dark arts of web skimming attacksRelated Blog

British Airways received a $250 million fine for failing to protect customer data

Hackers stole sensitive information from 500,000 customers in just 15 days

Sources: fortune.com, verizon.com

Our solution

You can’t protect every line of code, but you can limit what attackers access

Web skimming attacks are extremely difficult to detect since they do not occur within your own infrastructure. Instead, malicious JavaScript is loaded directly into a visitor’s browser away from all your internal security controls — completely invisible to traditional security solutions that would normally raise flags if unusual activity is detected.

Instart offers industry-leading protection against web skimming attacks to prevent data exfiltration from occurring within the browser. Using its unique Nanovisor technology, Instart Web Skimming Protection provides unparalleled control over what form fields and cookies on a website can be accessed by a third-party script.