Web skimming


Web skimming is a form of internet or carding fraud whereby a payment page on a website is compromised when malware is injected onto the page via compromising a third-party script service in order to steal payment information.
A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack. In 2018, British Airways had 380,000 card details stolen in via this class of attack. A similar attack affected Ticketmaster the same year with 40,000 customers affected by maliciously injected code on payment pages.

Magecart

Magecart is software used by a range of hacking groups for injecting malicious code into ecommerce sites to steal payment details. As well as targeted attacks such as on Newegg, it's been used in combination with commodity Magento extension attacks. The 'Shopper Approved' ecommerce toolkit utilised on hundreds of ecommerce sites was also compromised by Magecart as was the conspiracy site InfoWars.

Defence

Normal security practices are recommended such as vendor assessment, server patching, access control and external penetration testing. In addition, use of content security policy and subresource integrity configurations can prevent malicious script modifications. In addition to the best practices highlighted above, there are also vendors that provide mitigation against Magecart and web skimming attacks.