The biggest threat this holiday season isn’t coal in your stocking — it’s web skimming

Users can take steps that will help them combat ongoing attacks on their networks

Web skimming, also known as e-skimming, is possible because of the prevalence of JavaScript being used in web apps and websites.
Web skimming, also known as e-skimming, is possible because of the prevalence of JavaScript being used in web apps and websites.
Image Courtesy of

Over the past few years, an emerging security threat called web skimming has been causing headaches for big brands and consumers. In just the past few weeks, Macy’s, a beauty store owned by Procter & Gamble, an apparel site called Sixth June, and the online store at the American Cancer Society were all victims of web skimming attacks.

Web skimming, also known as e-skimming, is possible because of the prevalence of JavaScript being used in web apps and websites. Developers typically use JavaScript libraries to implement features like chat widgets, Facebook “like” buttons, analytics, and advertising retargeting tools. Hackers, like Magecart, have also discovered that infecting a third party that is hosting a popular script is an easy avenue to breach many websites. Third-party script repositories can make for easy targets as they don’t always undergo stringent internal security vetting, but the scripts they host still run in the browser alongside all other website code with the same level of access.

Unless a security team puts strict policies in place, any scripts — both that created in-house or those created or hosted by a third party — can access any data within the webpage, including information customers enter forms or stored in cookies. When hackers can compromise a script, they are able to copy the user’s information entered forms and send it to another location where it is then used in other types of attacks or resold on the dark web.

Any website is at risk of being hit by a web skimming attack. Hackers can, and will, gather personal information, such as credit card details, usernames, passwords, and social security numbers to use or sell. This is particularly dangerous around the holidays when online sales increase significantly. Consumers need to be aware of this threat because the damage of a web skimming attack can be staggering: in 2018, for example, Magecart got its hands on the payment details of 500,000 British Airways customers, leading to a $230M GDPR-related fine. 

Unfortunately, most websites offer very little transparency for consumers around who can access their personal information. For example, if a holiday shopper enters their email address into a travel-booking site, they have no way of knowing if the website keeps that information private or if it shares it with a third-party provider such as an advertising tracker or a social network. And, while the third-party entity (if given data access) may not use the information illicitly, you still, by proxy, must hope that both they and the travel-booking site are securing your data. If a third-party vendor is compromised, any business that uses their code — like the travel-booking site that customers provided their credit card number to — could inadvertently be enabling attackers to steal sensitive information any time that page is loaded in a customer’s browser.

In this uncertain security landscape, here are a few things you can do to keep your private data safe:

  • Make the websites you visit more transparent -- The first step to protecting your private information from web skimming hackers such as Magecart is to become more informed about how websites are using your data. There are free Chrome plugins that make this possible. These plugins make it easy for you to see if a website you visit has third parties currently accessing your private information, whether from form fields or stored in the site’s cookies. These plugins specifically show you what pieces of information are accessible (such as your username, password, or credit card number) and which third parties are accessing them.
  • Avoid insecure sites whenever possible -- Let’s say you’re doing your holiday shopping, and you realize a website you are considering buying gifts from is sharing (whether intentionally or not) your payment details with a third-party provider. What can you do? Your most effective form of self-defense in this situation is to avoid using the site altogether. See if you can find a similar product from a different, more secure vendor, and do your shopping there instead. No gift is worth the price of a compromised credit or gift card — especially during the holidays.
  • Create complicated and unique passwords -- Of course, blacklisting sites that share your private information might not always be feasible. For example, you could discover your bank is sharing your password with third parties, even if by mistake. Switching the websites, you buy your holiday gifts from is one thing, but changing banks is an entirely different, more arduous ordeal. 

This scenario is why it’s important to ensure you’re using complex, unique passwords for all your accounts. Consumers today tend to have very poor password habits. Research shows 66% of people reuse the same password for multiple accounts, and 83% rely on short, weak passwords. However, if you log into a website that shares a password you are simultaneously using for other websites, you risk giving hackers access to more of your accounts. 

So if your bank (or doctor’s office, or favorite clothing store, or travel-booking site) is sharing data with third parties, and you don’t want to abandon it altogether — at a minimum, you should ensure you use a strong, unique password. This should at least ensure that the information you store in other accounts is safe.

Web skimming is a serious threat, but it doesn’t have to be (and you don’t need to be a victim). There are small steps we all can take to protect our data from hackers’ prying eyes. The most important thing you can do is to become better informed about how web skimming attacks work and learn which sites are leaving your data vulnerable. From there, you can make better decisions about where you decide to shop, bank, book tickets, and more online.

About the author: Natalie Lambert is the Chief Marketing Officer at Instart and has 15 years of enterprise technology marketing experience. Her career began at Forrester Research where she was a principal analyst covering end-user computing. In that role, she advised clients on technology investments and best practices surrounding the enterprise computing environment.

Most recently, she was the Chief Marketing Officer at Sapho, an enterprise software company that was acquired by Citrix. Prior to Sapho, Natalie spent seven years at Citrix where she held multiple product marketing leadership positions, including having responsibility for the company’s multi-product solutions, thought leadership efforts, and positioning of Citrix as a leader in digital workplace technologies.

Natalie has been widely quoted in the press, including outlets such as The New York Times and The Wall Street Journal, and has written for Wired, Forbes and


More in Cybersecurity