How e-skimming is stealing card data in plain sight

A new wave of invisible cyberattacks is sweeping through online retail, exploiting the busiest shopping months of the year and striking consumers where they feel safest: on legitimate e-commerce sites.

The rise of e-skimming — malicious code injected directly into checkout pages — is rapidly becoming one of the most pernicious forms of payment data theft, siphoning card details before a customer even clicks “Submit”.

Payment Fraud Intelligence Report

E-skimming: Stealing card data in plain sight

The latest Annual Payment Fraud Intelligence Report underlines the scale of the threat.

E-skimming incidents almost tripled in 2024, with more than 11,000 new domains compromised — the highest figure ever recorded. Unlike traditional breaches, these attacks do not rely on breaking into a merchant’s databases.

Instead, attackers tamper with the JavaScript ecosystem that powers modern checkout flows, enabling real-time capture of card numbers, CVVs, names and email addresses with no visible trace.

NordVPN’s chief technology officer, Marijus Briedis, characterises the danger succinctly: once a skimmer is embedded in a page, it runs silently within the shopper’s browser, harvesting data as it is typed.

There is no alert, no error message and no broken user interface. Customers complete their purchases believing the transaction has been safe, unaware that their card details may already be circulating on dark-web marketplaces for the price of a cinema ticket.

A Structural Vulnerability

The structural vulnerability lies in the complexity of today’s e-commerce supply chains.

A typical checkout page may load scripts from analytics providers, marketing platforms, A/B-testing tools, and payment technology firms — each of them treated as trusted but only loosely monitored.

If one vendor is compromised or a plugin is left unpatched, an attacker can distribute their malicious script to every online store relying on that code. The injected skimmer blends in with legitimate tags, often activating only under specific conditions to avoid detection.

Once stolen, card data moves quickly.

Fraudsters typically sell the information in bulk before it is used for carding, account takeovers or rapid-fire fraudulent purchases. Many attacks unfold within hours, long before the consumer notices an unfamiliar transaction on their statement.

For merchants, the implications are significant.

E-skimming erodes customer trust and exposes businesses to reputational damage and potentially severe regulatory consequences.

Crucially, many retailers lack comprehensive visibility into the third-party scripts executing in customers’ browsers, leaving a blind spot that attackers continue to exploit.

Strengthening script governance, tightening vendor oversight and adopting real-time client-side monitoring tools are becoming essential defences.

As online commerce grows ever more dependent on intricate webs of third-party code, e-skimming is emerging as the silent threat of the checkout era — one that retailers will ignore at their peril.