Widespread Web Skimming Campaign Hijacks Checkout Pages to Steal Credit Cards

What happened

A widespread web skimming campaign hijacks checkout pages to steal credit cards from consumers when they enter payment information on compromised e-commerce sites, according to recent analysis of a long-running Magecart-style operation. The attackers inject highly obfuscated JavaScript into legitimate online store checkout pages, monitor DOM changes to activate only on payment forms, and replace legitimate interfaces with nearly identical fake forms that capture credit card numbers, expiration dates, CVV codes, and personal details. The stolen data is encoded and transmitted to attacker-controlled exfiltration servers, while deceptive error messages encourage unsuspecting shoppers to re-enter their information. The campaign targets major payment networks such as American Express, Discover, Mastercard, Diners Club, JCB, and UnionPay, and has been active since at least early 2022, leveraging compromised domains and bulletproof hosting to evade detection. 

Who is affected

Online shoppers using compromised e-commerce sites and the merchants that host them are directly impacted by this skimming campaign; their payment card information and personal details are captured and transmitted to threat actors, posing both financial and regulatory exposure. 

Why CISOs should care

Client-side skimming exploits the trust between customers and e-commerce platforms, risking financial fraud, PCI-DSS compliance violations, reputational damage, and large-scale data theft that can extend beyond a single breach. 

3 practical actions

• Audit third-party scripts: Perform regular integrity checks of all client-side scripts loaded on checkout pages.
• Deploy runtime monitoring: Use behavioral detection to identify unauthorized DOM alterations and script injections.
• Isolate payment flows: Separate critical payment form assets from less trusted third-party content and enforce strict Content Security Policies.