A newly observed global campaign is exploiting the trust users and security tools place in legitimate websites. In this silent skimming attack, malicious scripts are loaded from previously trusted domains—specifically compromised e-commerce sites—and steal PCI and PII data without raising immediate suspicion. Source Defense research has detected dozens of incidents worldwide, stretching across Asia, Europe, the U.S., and Australia, with the stolen data exfiltrated to the malicious domain cdn-report[.]com.
The attached images demonstrate this tactic: several different malicious scripts (such as formData.js, data.js, and loader.js) were stored on the same compromised domain (luluatalmaghrib[.]com). The images show how the hacker customized different payloads, making the attack versatile and more difficult to detect.
Attack details
The Source Defense Research Team has identified a new wave of silent skimming attacks leveraging compromised legitimate domains to distribute malicious scripts. Unlike previous skimming campaigns that typically use suspicious or newly-registered domains, this method uses trusted e-commerce websites to deliver the malicious code, significantly reducing the chance of raising security alerts.
In this attack, the malicious script is loaded directly from a seemingly legitimate, compromised domain. Once embedded, it silently captures sensitive customer information (PCI and PII) during the checkout process without displaying any double forms or suspicious prompts. All stolen data is then sent to a well-known malicious domain:cdn-report[.]com.
This attack has been identified across dozens of websites globally, affecting companies in Asia, Europe, the US, and Australia. Moreover, in several instances, the attacker hosted multiple versions of the malicious script on the same compromised domain, tailoring each one to match the unique structure of various e-commerce platforms.
Ongoing evolution of the attack
Source Defense originally detected this threat over a year ago and issued an alert on our X/Twitter channel at that time. Since then, we have observed an increasing number of legitimate domains being compromised and weaponized to serve malicious scripts. Alarmingly, some previously attacked websites are now being re-targeted by different compromised domains utilizing the same stealthy technique.
Despite the obvious threat, most of the compromised domains involved in this campaign are not blacklisted by external vendors, making traditional blacklist-based defenses ineffective.
How does Source Defense protect you from such attacks?
Despite the multiple methods of disguise, rest assured that even this elusive attack will be detected and blocked by Source Defense. This is made possible through our ongoing active intelligence research, which ensures that the latest malicious domains are promptly identified, blacklisted, and blocked by our system—for customers using the Protect product. In addition, our advanced technology provides rich attack details and triggers alerts, regardless of which Source Defense product is in use.
How will you be alerted?
If a malicious script attempts to load on a site protected by Source Defense—even through multiple layers of GTMs, and even when executed by the DOM —you’ll receive immediate alerts:
New script identified - flags unknown or suspicious scripts
New behaviors identified: ○ Accessing PCI data ○ Accessing PII data ○ Loading script from blacklisted domain ○ Sending data to blacklisted domain
These alerts would be prominently displayed in:
Thebell notification center
Thedashboard summary(marked in red)
The 'Found in blacklists'and 'Script behaviors'widgets with suspicious activity, both highlighted in red
It’s important to note that these flagged domains may not yet be recognized by external blacklist providers—but they are proactively identified and classified as blacklisted within our system.
.png?upscale=true&width=1200&upscale=true&name=image%20(22).png)
