According to new longitudinal research covering 550 compromised e-commerce websites across 68 countries, eSkimming campaigns have developed far beyond one-time incidents This article explores compromised websites actively. . The results show that persistent client-side attacks have become a systemic challenge for the digital retail ecosystem, challenging the conventional incident response wisdom that equates discovery with recovery.

Over a 12-month period, the study monitored previously compromised sites and found a concerning pattern: One year after the initial detection, 18% of previously compromised websites are still actively compromised. More importantly, threat actors have successfully modified their attack infrastructure after remediation attempts, as evidenced by the fact that 57% of these persistently infected sites no longer host the original skimming malware. Important Study Results Source Defense tracked ~3,600 known victims from a year ago, narrowing to 550 active sites for realistic recovery analysis.

In order to concentrate on running businesses, they disregarded offline ones. Geographic Analysis: An International Danger (Source: sourcedefense) Sites by Category Clean 452 82% of the data were analyzed; no active skimmers were found. Infected 98 18%—Active skimming is still in place—Infected with New/Evolved Paths 56 (of 98) 57%—New attacks, not remnants 16% offline (from the initial pool) Possible warning sign for unresolved attacks The disparity is highlighted by this table, which shows that almost one in six sites never completely clean up.

Attackers quickly adjust. 12% of campaigns changed in this way when defenders blocked third-party scripts and opponents embedded in first-party JavaScript. Threats are pushed deeper, into the core logic of the site, by remediation. Global Reach, Varied Persistence The danger transcends national boundaries.

The U.S. (33% of active sites) and U.K. (9%) dominate the sample, but persistence hits everywhere.

Active Websites by Country Rate of Share Persistence Spain 23% (highest) is not specified. Germany Unspecified 4% (lowest) 18% on average Germany's low rate suggests improved discipline or controls. Spain's high one indicates areas of vulnerability.

No part of the world is immune. After being discovered, 16% of the compromised websites went offline. It indicates business risk from residual exposures even though it hasn't been shown to be causative. Here, conventional tools fall short.

CSPs examine static code, while WAFs scan servers. eSkimming runs at runtime on the client side. Pivots are missed by cleanups. “Attackers watch and innovate,” the report notes.

Block one path, they switch domains or embed deeper. Without browser monitoring, they persist. Persistent eSkimming Evolves Undetected (Source: sourcedefense) Source Defense pushes runtime controls: track all scripts, flag risky behaviors like payment form access, block exfiltration in real-time.

The company promotes its browser-based tool that allows users to see script actions, including trusted ones. It transforms reactive cleanups into proactive defense by identifying phony forms and stopping data grabs. This is a business risk, not just a technological failure.

Unseen skimmers can destroy websites, steal cards, and undermine trust. Businesses need to implement ongoing client-side monitoring. Point-in-time fixes encourage return visits as Magecart groups develop. Browser-level eyes are necessary for true recovery.