Holiday IR Playbook: Web Skimming and Credential-Stuffing at Retail Scale

Retailers see elevated risk during Black Friday and Cyber Monday, with advisories emphasizing exposure management (fix misconfigurations, enforce MFA, patch web apps and infrastructure) and pre-staging detections for web skimming and credential-stuffing to shorten time-to-containment. (cybersecasia.net)

Intrusion Flow

• Client-side web skimming (Magecart-style)

  • Initial access: exploit public-facing apps/CMS, stolen admin creds, or supply-chain injection to place malicious JavaScript. (trustwave.com)
  • Data capture: injected script hooks payment/checkout DOM, validates card data (e.g., Luhn), and encodes exfil (often Base64). (trustwave.com)
  • Exfiltration: outbound beacons via XHR/WebSocket/IMG requests, sometimes disguised as analytics or image loads. (akamai.com)
  • Server-side variants: malware persists in templates/filesystems or databases; data is staged and periodically exfiltrated to reduce noise. (sansec.io)

• Credential-stuffing → ATO (account takeover)