Europol Discovers Web Skimmers on 443 Online Stores
Europol has notified the owners of more than 400 online stores that their websites were hacked and infected with malicious scripts designed to steal debit and credit card data from shoppers.
Web skimmers are small JavaScript snippets that are embedded on checkout pages or loaded from remote resources to avoid detection. These malicious scripts are intended to intercept and steal payment card data, names, and shipping addresses, which are then sent to servers controlled by cybercriminals.
Hackers later use the stolen data to make unauthorized transactions (such as online purchases) or resell the stolen card information to other cybercriminals on the dark web.
Law enforcement officials note that such attacks can sometimes go unnoticed for several months, allowing cybercriminals to collect large amounts of data depending on the popularity of the compromised online stores.
International Operation and Key Findings
According to experts, during a two-month international operation coordinated by Europol and led by Greek authorities, law enforcement agencies from 17 countries—including the United States, United Kingdom, Germany, Colombia, Spain, the Netherlands, and others—along with private cybersecurity companies such as Group-IB and Sansec, discovered web skimmer infections on 443 websites.
Additional details were shared by Group-IB, which reported finding 23 different families of JavaScript sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin.
Researchers note that these malicious scripts are highly stealthy, often using Google Tag Manager for updates and mimicking Google Analytics code to avoid detection during website code reviews.
According to Group-IB, there were a total of 132 web skimmer families infecting websites worldwide in 2023.