Web skimming attacks are essentially software supply chain attacks that can reach hundreds or thousands of websites using the exploited third-party web application.
Now, when a website user/customer opens the website in a browser or a mobile device, the malicious code gets downloaded to the user’s browser along with the legitimate third-party code. Since the malicious code is downloaded from the third-party servers, the website owner does not have any logs or indications that show the existence of the malicious code or even something suspicious is happening.
After the payload is executed, the script starts harvesting payment card numbers and personal information of any user data being entered and sends it to the cybercriminals, which is later sold on the dark web. The most common targets – checkout and payment pages on websites. To make matters worse, web skimming exploits often continue to linger for long periods of time before they are discovered by the website owner.
Here are just a couple of “scary” web skimming techniques used recently:
- The Gocgle Campaign – Security researchers exposed the Gocgle campaign in 2020, which has essentially been active starting late 2019, just like the COVID-19 pandemic. This malicious campaign has been tailored around Google products like G-Analytics and uses the uncanny naming similarity to trick users and security teams alike. This skimmer is probably still active on hundreds of websites.