As Holiday shopping begins, with Christmas around the corner, experts warn about e-skimming. This is a malicious JavaScript code injected into legitimate e-commerce sites to steal customers’ payment data during checkout.
According to the Annual Payment Fraud Intelligence Report, e-skimming is one of the most effective methods of data theft in 2024. Newly infected e-commerce domains nearly tripled versus 2023.
“Attackers implant JavaScript skimmers that run silently in your browser, capturing full card numbers, names, CVVs, email addresses, expiry dates, and other sensitive data in real time, sometimes even before you finish the purchase,” Marijus Briedis, CTO at NordVPN tells Digital Journal. “You can shop on a legitimate site and still have your details siphoned with no pop-up, no warning — just silent theft.”
E-skimming
What makes e-skimming particularly dangerous is its invisibility. Shoppers continue browsing unaware, and businesses often have no immediate indication that data is being collected in the background.
The Annual Payment Fraud Intelligence Report finds that e-skimming is one of the most effective methods of data theft. E-skimming activity nearly tripled in 2024 compared to 2023, with more than 11,000 unique e-commerce domains newly infected, marking the highest annual total on record.
From checkout to cash-out
Modern checkout pages load a mix of outside code — including analytics tags, payment widgets, marketing trackers, UX libraries, and A/B-testing tools. These vendors are trusted but rarely watched closely. That supply chain creates an opening for e-skimming — malicious code is delivered through the site like any normal script, and once the page loads, it runs locally in the shopper’s browser.
A single compromised vendor or outdated plugin can quietly spread a skimmer to every store that relies on it. Once present, the code blends in with legitimate scripts, allowing it to remain dormant or activate only for specific regions or hours to capture data. Theft can even occur before a customer presses the “Submit” button.
Once harvested, the data usually enters a fast-moving underground economy. Attackers typically sell stolen credentials on dark web marketplaces, and as recent NordVPN research shows, those payment cards sell for as little as movie tickets — approximately $9. Buyers then use them for carding and making fast, fraudulent purchases, credential stuffing, account takeover, or gift card laundering — often within hours of the theft.
E-skimming succeeds by hiding inside the scripts that stores rely on to function. Many merchants do not possess full visibility or control over those scripts that run in customers’ browsers; therefore, injected code can run silently, steal full credit card details, and vanish without a trace
How to protect yourself while shopping online
To guide consumers, Briedis provides some important precautions that shopper should follow to stay safe while shopping online:
- Use a virtual or single-use card, a payment service that doesn’t expose your real card number, or tokenized payments (Apple Pay, Google Pay, etc.).
- Never save card details on websites, even trusted ones, and turn off browser autofill for payment fields.
- Install a security tool that blocks malicious scripts and trackers in real time, such as Threat Protection Pro.
- Be alert for unusual browser extensions or unexpected pop-ups at checkout.
- Regularly review your bank statements for unfamiliar transactions.
