{
	"id": "6e1a3ed4-c892-4a02-b53d-ff207440db8b",
	"created_at": "2026-04-06T00:15:56.314109Z",
	"updated_at": "2026-04-10T03:24:30.186025Z",
	"deleted_at": null,
	"sha1_hash": "7e621fd5ba97bd5ae4c19d0f28b0b8e4e0622726",
	"title": "Digital skimmers: Keeping card details safe online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58851,
	"plain_text": "Digital skimmers: Keeping card details safe online\r\nBy Trend Micro ( words)\r\nPublished: 2019-08-07 · Archived: 2026-04-05 21:43:39 UTC\r\n\"A few weeks ago, British Airways was hit by the largest ever regulatory fine of its kind, after global customers\r\nvisiting its website had their card data stolen. The $228m penalty levied by the UK’s privacy watchdognews\r\narticle reflects the seriousness of the attack and the carrier’s failure to protect its customer’s personal and financial\r\ninformation. However, this incident has repercussions way beyond the UK airline and its customers. It’s part of a\r\nnew wave of attacks designed to implant “digital skimming” code on e-commerce sites, in order to siphon off your\r\ncard details as they are entered in to pay for goods.\r\nAlthough tens of thousands of websites have been caught out in this way, there are things you can do to stay safe\r\n—most notably by running Trend Micro Security. But first, here’s more on what you need to know.\r\nThe story so far\r\nData breaches are so often in the news headlines today, that you could be forgiven for becoming a little\r\ndesensitized. From retailers like Target and Home Depot to government breaches at agencies including the Office\r\nof Personnel Management (OPM), and from financial organizations like Equifaxnews article to tech giants like\r\nYahoonews article, billions of our personal records have been stolen by cyber-thieves over the past few years.\r\nYet in all of these cases, there has been little the customer could do about it. That’s because the hackers target the\r\norganization directly. They find ways to bypass its security controls and sneak inside the company networks to\r\nfind what they’re looking for: usually databases full of customer data.\r\nA new type of data breach\r\nHowever, these new digital skimming attacks are different. In what way? They involve a hacker deploying\r\nmalicious code known as Magecart to an organization’s website. This code is typically designed to stay hidden,\r\nunder the radar of the company. And it has a very specific purpose: to steal customer card details as they are\r\nentered into the site during payment. In short, it’s the digital equivalent of those physical skimming devices that\r\ncriminals insert into ATMs to steal card data as it’s entered: it’s highly effective and happens completely without\r\nthe knowledge of the cardholder.\r\nBy using this method, the hackers get access to the full card details, which have a higher resale value on the\r\ncybercrime black market. The problem (for them) with the more traditional types of attack targeting back-end\r\ndatabases, is that these organizations may store card data encrypted, or else minus the crucial CVV/CV2 code.\r\nMagecart attacks get around that.\r\nWhat sites are at risk?\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-malware/\r\nPage 1 of 3\n\nIndeed, the Magecart attackers have proven over the past year that no website is safe from skimming attacks.\r\nWhether it’s a big-name e-commerce brand like Newegg, a national airline, a global ticketing site (Ticketmaster),\r\nor even online campus stores serving nearly 200 universities in the US and Canada–as long as they accept online\r\npayments, they’re at risk.\r\nMagecart is so effective that multiple groups are said to be using the code, a piece of malicious JavaScript, to\r\ninfect websites around the world. And they’re developing new tools and tactics all the time to improve their\r\nmonetization. These include:\r\n \r\nInfecting third-party companies which supply code to other sites (e.g., those that provide online ad\r\nservices). Thus, with just one attack, the hackers can get their Magecart code onto potentially\r\nthousands of payment pages.\r\nUsing automated tools to scan the internet for companies that may be running unsecured servers,\r\nwhich they can then infect with Magecart. Some 17,000 sites were recently compromised in this\r\nway. In a separate attack, 962 online stores were hit in just 24 hoursnews article.\r\nDeveloping new skimming code which is usable across as many different payment pages as\r\npossible. The record is 57 different payment gatewaysnews article, which makes the hackers’ job\r\nmuch easier as they can launch attack campaigns across the globe with the same tools\r\n   \r\nAll this is bad news for online shoppers. So how do you know that the site you’re entering card data into is safe?\r\nWhat can you do to stay safe?\r\nUnfortunately, there’s nothing obvious that differentiates a website infected with Magecart from any other site. It\r\nwill look completely normal and will allow you to pay in the usual manner. The only difference is that, in the\r\nbackground, a tiny piece of code will be stealing your data and transferring it to the hackers. So what can you do\r\nto protect yourself?\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-malware/\r\nPage 2 of 3\n\nYou could try to avoid smaller sites that may not have the same level of security as larger ones.\r\nHowever, as we’ve seen, Magecart has hit big-name brands as well as less well-known companies.\r\nAnother option would be to use a browser plug-in like NoScript for Firefox that prevents\r\nJavaScript loading from other untrusted sites – although this won’t prevent you getting potentially\r\nstung if the well-known and trusted site you’re on is compromised\r\nPayment systems like Apple Pay and Google Pay can offer more protection. They use a one-time\r\ngenerated series of numbers for each transaction, so that if attackers get their hands on it, they\r\nwon’t be able to use it in the future.\r\nIt goes without saying that you should keep a close eye on your card statements/bank account at all\r\ntimes – watching out even for small amounts that hackers may be making to test if your card is still\r\nactive.\r\nHowever, the most effective way to stay safe is to use Trend Micro Security.\r\n   \r\nHow Trend Micro can help\r\nTrend Micro Security features two key mechanisms to help stop Magecart attacks:\r\n \r\nIt can detect whether the website you want to visit has been injected with skimming code, and\r\nblock you from visiting the URL (via web reputation), as well as from going to malicious domains\r\nthe skimming code has access to.\r\nIt uses a combination of techniques (via its Advanced Threat Scanning Engine and TrendX-File\r\nmachine learning) to detect whether the malicious JavaScript code has landed on your local drive\r\nand is ready to run in your browser – and then blocks it. This can spot both Magecart and similar\r\ndigital skimming code.\r\n   \r\nRead our Security Intelligence Blog for more technical details on Magecart. Then go to our Security Products\r\nOverviewproducts to get Trend Micro Security. \"\" \"\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-malware/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-malware/"
	],
	"report_names": [
		"home-depot-breach-linked-to-blackpos-malware"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e621fd5ba97bd5ae4c19d0f28b0b8e4e0622726.pdf",
		"text": "https://archive.orkl.eu/7e621fd5ba97bd5ae4c19d0f28b0b8e4e0622726.txt",
		"img": "https://archive.orkl.eu/7e621fd5ba97bd5ae4c19d0f28b0b8e4e0622726.jpg"
	}
}