Formjacking and Chargebacks

Savvy consumers have known for some time now to be aware of credit card skimmers, little electronic devices that fraudsters install in gas pumps and other inadequately-supervised credit card reading devices.

When a customer places their card in the reader to make a payment, the skimmer copies their credit card information for the fraudster to retrieve later. Crack open any local newspaper and sooner or later you’re likely to find a warning from a law enforcement agency about skimmers spotted at a rural gas station or out-of-the-way ATM.

New call-to-action

You might think that as an ecommerce merchant, skimmers are one fraud scheme you don’t have to worry about. Unfortunately, skimmers are going digital. Consumers who fall victim to this new “eskimmer” technology will surely file chargebacks against the unauthorized charges that fraudsters put on their cards, and merchants have no legitimate means to fight chargebacks based on true fraud.

Even though the merchants whose sites get targeted by eskimmer operators are just as much the victims as the cardholders themselves, they are the ones who will end up liable for the fraudulent charges under the rules of the major card networks. Therefore, it is up to merchants to learn all about eskimmers, how they work, how fraudsters install and operate them, and how to protect your site—and your customers—from their predations.

What They Are

A traditional skimmer is an actual, physical electronic device that fits into a card reader slot and reads the magnetic stripe of the card at the same time as the real card reader. It may store the payment credentials to physical media for later retrieval, or it may electronically transmit the information to a secondary device controlled by the operator.

eSkimmers, on the other hand, are a type of malware, a software program that installs itself without the host’s permission and takes active steps to conceal itself from detection and removal. eSkimmers can be designed to hide themselves in various ecommerce software programs. Shopping cart applications are a common target because they directly handles sensitive customer input—as soon as the customer types their credit card information into a compromised shopping cart app, the eskimmer has their data.

Third-party advertising network software can also be used as a vehicle for eskimmers. Hackers will exploit vulnerabilities in the JavaScript used by the ad network to insert malicious code in the host website, infecting them in a manner that is extremely difficult to detect and avoid.

An active eskimmer can harvest all sorts of private customer data—not just credit card payment credentials, but also names, passwords, dates of birth, security questions, or any other information the customer provides to the compromised website.

How They Are Implemented

Learn How To Fight Them The Smart WayGetting a live eskimmer installed in a secured ecommerce website may be a significant technological challenge, but unfortunately, many fraudsters are up to the task. Armed with detailed knowledge of how payment processing software, shopping cart applications, and ad network scripts work, sophisticated fraudsters write custom-built code designed to attack specific vulnerabilities within their chosen targets.

Once the eskimmer code has been implanted, it lies in wait for an unsuspecting consumer to begin entering personal data. At that point, the eskimmer begins copying their information to remote servers controlled by their operators.

Left undetected, an eskimmer can potentially harvest thousands of individuals’ data, over an extended period of time, without the fraudsters having to lift a finger. At that scale, the value to the fraudster isn’t in using that stolen data themselves. Instead, stolen card and identity data is sold in bulk on the dark web to cybercriminals all over the world. The customer may eventually realize their data has been breached when a petty identity thief uses their information, but this can occur long after the original eskimmer attack began, and it can be extremely difficult to trace the theft back to the compromised website.

One of the most successful eskimmer attacks to date, known as “Magecart” in the cybersecurity industry, refers to a group or gang of hackers (or several loosely-associated groups) that have carried out successive waves of eskimmer attacks against large, high-profile websites such as British Airways, Newegg, and Ticketmaster. Magecart is believed to have been in operation for several years, and while several of its breaches have been discovered, experts cannot say for certain just how many sites it may have compromised.

How to Protect Your Customers

Mounting an effective defense against eskimmers can be challenging. The Magecart attacks, for example, went through various phases of evolution designed to make them extraordinarily difficult to detect with regular anti-malware scanners. One of its most recent iterations involved exploiting misconfigured Amazon cloud storage services.

Nevertheless, using reputable security tools and keeping your shopping cart software and other third-party ecommerce solutions fully patched and updated will at least close up the obvious gaps in security that less-sophisticated fraudsters might be tempted to attack.

Giving your customers the option to use payment methods with added layers of security, such as digital wallets or 3-D Secure technology, can also help minimize the impact in the event that you get targeted by an eskimmer, and can contribute generally to better consumer awareness of how to avoid falling victim to a security breach. Customers don’t always like the inconvenience of things like two-step verification or strong passwords when they first encounter them, but once they become aware of these things, they can begin to understand why it’s important to make use of them.


Few merchants go into the ecommerce business thinking that they’re going to have to become cybersecurity experts on the side, but the reality is that if you want to protect your customers—and your business—from ever-evolving technological threats, you have to stay informed and educated about all the newest, nastiest schemes and malware that fraudsters keep coming up with.

Fraud left unchecked just keeps growing into a bigger and bigger problem until it takes down your entire business. Fraudsters share tips with each other, and when they know a particular website is vulnerable, they’ll target it repeatedly for as long as they can. Every fraudulent charge that makes it through is likely to turn into a chargeback, and once your chargeback rate starts going up and the fees start mounting, it can be very difficult to recover. Arm yourself with knowledge so that you can face fraud head-on and stop it before it becomes overwhelming, and don’t forget to get help from the experts when you need it.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Download your copy of An Introductory Guide to E-Commerce Fraud Prevention

Ready to Start Reducing Chargebacks?