The invisible attack that could be stealing your payment details while you shop
Experts from NordVPN are warning about a rise in ‘invisible’ attacks that can steal payment details on legitimate eCommerce sites.
Known as e-skimming this involves malicious JavaScript code being injected into legitimate eCommerce sites to steal customers’ payment data during checkout. This is the online equivalent of physical skimming devices found on ATMs or gas pumps.
“Attackers implant JavaScript skimmers that run silently in your browser, capturing full card numbers, CVVs, names, email addresses, expiry dates, and other sensitive data in real time, sometimes even before you finish the purchase,” says Marijus Briedis, CTO at NordVPN. “You can shop on a legitimate site and still have your details siphoned with no pop-up, no warning -- just silent theft.”
Checkout pages load a mix of outside code -- including analytics tags, payment widgets, marketing trackers, UX libraries, and A/B-testing tools. These vendors are trusted but rarely watched closely. That supply chain creates an opening for e-skimming as malicious code is delivered through the site like any normal script, and once the page loads, it runs locally in the shopper’s browser.
A single compromised vendor or outdated plugin can quietly spread a skimmer to every store that relies on it. Once present, the code blends in with legitimate scripts, allowing it to remain dormant or activate only for specific regions or hours to capture data. This means the theft can even occur before a customer presses the ‘Submit’ button.
“E-skimming succeeds by hiding inside the scripts stores rely on to function,” adds Briedis. “Many merchants don’t have full visibility or control over those scripts that run in customers’ browsers, so injected code can run silently, steal full credit card details, and vanish without a trace.”
See also:
AI-driven fake shoppers target Black Friday retailers
One in 11 new Black Friday websites is malicious
Mastercard launches Threat Intelligence to combat payment fraud
To protect yourself it’s recommended to use a virtual or single-use card, that doesn’t expose your real card number, or use tokenized payments such as Apple Pay, Google Pay, etc. You should also avoid saving card details on websites, even trusted ones, and turn off browser autofill for payment fields.
In addition install a security tool that blocks malicious scripts and trackers in real time, be alert for unusual browser extensions or unexpected pop-ups at checkout. And of course regularly review your bank statements for unfamiliar transactions.
You can read more about card theft on the NordVPN site.