A new rash of highly covert card-skimming malware infects ecommerce sites — How to Identify & Stay Safe

Severity: HIGH | View Full Scam Details

New in 2026: Highly Covert Card-Skimming Malware Infects Indian E-Commerce Sites

A new wave of card-skimming malware is secretly stealing credit card details from shoppers on popular Indian e-commerce platforms like Flipkart and Amazon, putting millions of online buyers at risk.

What Is the New Rash of Highly Covert Card-Skimming Malware Infecting E-Commerce Sites?

This scam involves cybercriminals injecting invisible malware scripts into the checkout pages of popular e-commerce websites. Unlike typical phishing attacks that rely on fake websites or messages, this malware embeds itself directly into legit platforms, making detection extremely difficult for users and even some site administrators.

The malware is designed specifically to steal credit and debit card details as customers enter their information to complete payments. Scammers often target large Indian e-commerce players such as Flipkart, Amazon India, and Myntra, especially those sites where security isn’t updated regularly. India’s rapid increase in online shopping—spurred by widespread UPI and card payments—has made this scam a high-severity threat, with an estimated risk score of 7 out of 10 by cybersecurity experts at CERT-In and the Indian Cyber Crime Coordination Centre (I4C).

Official advisories from the Reserve Bank of India (RBI) and CERT-In in early 2026 have highlighted these covert skimming attacks as a growing concern, urging merchants to update their security frameworks and shoppers to be extra vigilant.

How This Scam Works — Step by Step

1. Infection of the Website: Cybercriminals exploit weak security loopholes or outdated plugins on e-commerce websites to insert malicious JavaScript code into the payment or checkout page.

2. User Visits Checkout: When a shopper in India selects their items and moves to the payment section, this malware becomes active invisibly in the background.

3. Data Harvesting: As the user types card details such as the credit/debit card number, CVV, expiry date, and sometimes OTPs (one-time passwords), the malware silently copies these details.

4. Fake Interface Layer: Some advanced variants manipulate the page’s look, making it appear user-friendly and genuine while redirecting or storing sensitive data elsewhere without the user’s knowledge.

5. Fraudulent Transactions: Using stolen card info, fraudsters often make unauthorized transactions, sometimes in INR or via international card networks—often before users notice.

6. Evading Detection: Because the malware lives on legitimate websites rather than phishing URLs, blocking suspicious links or messages offers little protection.

7. Psychological Triggers: Scammers create urgency—like fake flash sales or limited stock messages—to rush payments and reduce users’ caution during the checkout.

Real Warning Signs to Watch For

• Checkout pages that suddenly behave strangely or load slowly.
• Unusual popup messages prompting for extra card details beyond regular fields.
• Website URLs without HTTPS or displaying security certificate warnings during payment.
• Fake time-limited discount alerts or urgent “last chance” messages during payment.
• Unexpected SMS OTPs or WhatsApp messages not initiated by you but asking for payment verification.
• Receiving emails or messages from “official” looking but misspelled company addresses.
• Bank alerts about transactions not made by you shortly after online purchases.

What Happens to Victims

Financially, victims often find INR debits from their linked debit or credit cards they never authorized. Because the scam steals card data before transaction authorization, many victims are unaware until they check their bank statements. Unlike UPI transactions that can sometimes be reversed, card fraud can be tougher and longer to dispute, leading to blocked or frozen accounts during investigations.

Emotionally, victims face stress worrying about further misuse of their Aadhaar-linked bank accounts or SIM swap attacks that can hijack phone numbers used for OTPs. The trust shake in digital payments affects people’s willingness to shop online, harming India’s digital economy growth.

What RBI and CERT-In Say

RBI’s 2026 circular on online payment security emphasizes the need for banks to implement stronger transaction monitoring systems to detect unusual payments. The central bank reminds users never to share OTPs or full card details on calls or messages. CERT-In’s advisory stresses timely patching of vulnerabilities by e-commerce platforms and encourages customers to ensure websites use up-to-date TLS encryption.

India’s 1930 Cybercrime Helpline is operational for victims to lodge complaints or seek guidance immediately after suspected fraud. The Indian Cyber Crime Coordination Centre (I4C) also actively monitors such threats and collaborates with platforms to mitigate risks.

How to Protect Yourself

1. Only shop on well-known, HTTPS-secured websites. Look for the padlock icon in the address bar.
2. Avoid using saved cards or auto-fill options on UPI and payment pages.
3. Always verify official alerts on your bank’s app or website before entering card details or OTPs.
4. Don’t rush payments—even flash sale deadlines can be fake.
5. Regularly monitor bank and card statements for unfamiliar transactions.
6. Keep your computer, browser, and payment apps updated with the latest security patches.
7. Use virtual or prepaid cards with a limited balance for online shopping where possible.

What to Do If You’ve Been Targeted

1. Immediately contact your bank or card issuer to block the compromised card and prevent future fraud.
2. Report the incident at cybercrime.gov.in with all details of the transaction and the e-commerce site.
3. Call the 1930 Cybercrime Helpline to seek further assistance and lodge your complaint.
4. Change your login passwords on the affected e-commerce website and related accounts.
5. Monitor your Aadhaar-linked accounts and mobile number to prevent SIM swap or identity theft.
6. File a police report with your local cybercrime unit, especially if large amounts have been stolen.
7. Inform the merchant platform about the incident so they can investigate and purge malware.

Frequently Asked Questions

Q: Can I get my money back if my card details are stolen on an e-commerce site?
A: The RBI mandates banks to investigate and refund unauthorized transactions if you report them promptly, usually within 30 days. Always notify your bank immediately for faster resolution.

Q: How do I know if a website is infected with card-skimming malware?
A: Infection is hard to detect as malware operates invisibly. Check for website security indicators like HTTPS and beware of unexpected popups or slow payment pages to reduce risk.

Q: Will paying through UPI apps protect me from this scam?
A: UPI transactions are generally safer due to direct bank-to-bank transfers and two-factor authentication. However, never enter your UPI PIN or OTP on unknown websites or links and always verify payment requests.

Stay alert and protect your digital payments! If you receive suspicious messages or see unusual payment behavior, verify immediately with BharatSecure.app before proceeding. Your safety online matters.