Skip to content

Trending tags

Avoiding skimmers, scammers and crooks during holiday online shopping season

Jason Sattler

16.11.18 4 min. read

The term “Cyber Monday” was first coined in 2005 to describe what would become one of the biggest online shopping days of the year that people began spotting ATM skimmers.

Affixed to the mouth of the card readers on bank cash machines, skimmers suck up customers’ bank account and PIN information—and then their money. These hidden electronic devices have gotten slimmer and sneakier over the last decade.

Still, an informed observer can with a little close inspection generally spot a skimmer on an ATM, a gas pump, or in a point-of-sale credit card machine.

A new sort of skimmer

Thieves always follow the money. With this year’s online sales expected to reach nearly half a trillion dollars in the U.S. alone, it makes perfect sense that a new sort of skimmer has appeared in the last few years. This one is impossible to spot, and chances are the criminals behind it are very excited about this year’s online holiday shopping season beginning.

Online skimmers target ecommerce sites exclusively.

Pushed by a group of criminals—or a group of groups of criminals—called Magecart, digital skimmers use a simple, usually obfuscated JavaScript steals credit card information as an online shopper tries to complete a purchase. Click “Check Out” and your data will be sent to the attacker’s command-and-control server.

How do skimmers infect ecommerce sites?

Magecart began by targeting online stores using Magento’s tools, locating old vulnerabilities in the platform into which they’d inject their skimmer code. No specific stores seemed to be targeted; rather, the criminals went after the platform in general.

More recently the group has gone after third-party tools used by ecommerce sites, including SocialPlus, an analytics tool, and Inbenta, a chat service.

And this has helped Magecart become close to a household name with hacks of massive sites like, and British Airways. These recent attacks seem carefully targeted, which makes sense considering the massive rewards that can come from hacking the largest ecommerce sites in the world.

So what can you do to avoid being skimmed?

Magecart complicates one of the key pieces of online shopping advice that cyber security experts have offered in recent years: stick to trusted retailers and go directly to those retailers’ sites to search and shop in order to avoid phishing scams and bad search results.

This is still pretty good advice, especially when it comes to training yourself not to click on any URLs in spam emails. However, since digital skimmers are invisible and increasingly targeting high-profile, trusted sites, you cannot be certain to avoid them by just sticking to the retailers with proven reputations.

The best way to avoid online skimmers is to follow the most basic cyber security advice: only shop on a PC running updated security software and never shop on public Wi-Fi without running a VPN on your device.

F-Secure detects the skimmer scripts, blocks connections to Magecart’s command and control servers and blocks traces of the JSObfuscator often used by the threat, protecting you from the group’s known tricks.

More online shopping safety tips to avoid scammers

When you’re shopping during a stressful time when thieves know you’re likely to make quick, silly decisions, the basics of cyber security matter most.

  • In addition to running security software and a VPN with browsing protection to block known malicious sites, you should create strong, unique passwords for any ecommerce site where you create an account.
  • Avoid scams by assuming anything that seems “too good to be true” will cost you big, especially when you’re dealing with a seller you don’t know personally directly through an online bidding or bulletin board site.
  • Use one specific browser for all of your shopping and financial transactions. And don’t use it for anything else, especially social media.
  • Restrict your purchases to one credit card and check that credit card’s transactions and balances regularly—at least every few days—during the holiday season.

The most important thing is to stay calm and not make rushed decisions, even as the holidays near and time runs short. The good news is that if you spent the time to read this entire article, there’s a pretty good chance you’ve got the kind of focus you need to avoid all skimmers and scammers this holiday season.

Jason Sattler

16.11.18 4 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.