Covert Card-Skimming Malware on E-commerce Sites — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 11, 2026

Severity: CRITICAL | View Full Scam Details

Beware in 2026: Covert Card-Skimming Malware on Indian E-commerce Sites

Online shopping is booming in India, but so are cyber threats like covert card-skimming malware on e-commerce platforms — a critical phishing scam risking your bank details.

What Is the Covert Card-Skimming Malware on E-commerce Sites?

Covert card-skimming malware is a sneaky piece of malicious software secretly injected into the payment pages of popular e-commerce websites. This malware waits silently until you enter your payment card details—such as the 16-digit card number, CVV, expiry date, and sometimes even your OTP—to capture everything without your knowledge. These stolen details can then be sold on the dark web or used immediately for fraudulent transactions.

In India, where digital payments via debit/credit cards and UPI are growing rapidly, scammers have turned their focus towards trusted online retailers. They exploit website vulnerabilities, especially smaller or less-secured e-commerce platforms that may lack robust security updates and monitoring. CERT-In and the Indian government’s I4C initiative have jointly warned about such sophisticated attacks targeting India’s booming digital economy. The Reserve Bank of India (RBI) frequently urges merchants to implement security best practices, but many fall short, making users vulnerable.

This scam is widespread across various sectors, including fashion, electronics, and groceries, leading to thousands of victims in India alone. Victims often remain unaware until unauthorized transactions appear on their bank statements or Aadhaar-linked accounts.

How This Scam Works — Step by Step

1. Site Infection: Fraudsters identify weak e-commerce websites using outdated software or poor security. They inject covert malware scripts onto payment pages, often through stolen admin access or cross-site scripting vulnerabilities.

2. Shopper Arrives: When you visit such an infected site, everything looks normal — product catalogs, prices, and checkout processes work fine.

3. Data Capture Begins: When you enter your card or UPI details during checkout, the malware activates silently and sends a copy of your sensitive information directly to the scammer’s server.

4. Data Exploitation: The fraudsters use the stolen card data for unauthorized purchases or clone the card digitally for further transactions.

5. Money Drained: Victims only realize something is wrong when unexpected transactions post to their bank or UPI apps, or when their fraud report triggers alerts from RBI or banks.

6. Delayed Detection: Because the scam cleverly mimics genuine websites, many users don’t think it’s a scam until significant damage has already happened.

Real Warning Signs to Watch For

• The e-commerce site’s URL may look genuine but lacks HTTPS secure lock or has suspicious characters (like “amaz0n.in” instead of “amazon.in”).
• Unexpected delays or errors right at the payment page during checkout.
• Payment pages redirecting you to unknown or unrelated websites.
• Sudden pop-ups asking for additional personal or card details beyond normal payment fields.
• Receiving unsolicited OTPs or transaction alerts when you haven’t made payments.
• Emails or WhatsApp messages claiming to be from the merchant asking you to verify your payment info.
• New or lesser-known online stores offering “too good to be true” deals or discounts.

What Happens to Victims

Victims often face immediate financial losses as scammers drain money from their bank or UPI-linked accounts. For many, this means their life savings vanish within minutes. In some cases, Aadhaar or mobile SIMs linked to bank accounts are misused in combination with stolen payment data, making recovery even harder. Victims may struggle to reverse fraudulent UPI payments since RBI regulations typically do not allow UPI reversal without the beneficiary’s consent.

Aside from monetary loss, the emotional trauma is significant. Victims report sleepless nights, anxiety, and distrust towards digital payments. It can also take weeks, sometimes months, to secure accounts, file complaints, and seek refunds—which are not always guaranteed.

What RBI and CERT-In Say

The Reserve Bank of India has issued multiple advisories urging merchants to implement PCI DSS (Payment Card Industry Data Security Standard) protocols and encouraging customers to avoid sharing card data on unfamiliar websites. RBI’s customer helpline and fraud grievance channels help victims report such scams.

CERT-In (Indian Computer Emergency Response Team) actively monitors such cyber threats and releases alerts under its I4C (Indian Cyber Crime Coordination Centre) initiative. They emphasize the importance of regular software updates and using multi-factor authentication for online transactions.

If you suspect cyber fraud, the Government of India’s 1930 Cybercrime Helpline is available 24x7 for victims to report incidents.

How to Protect Yourself

1. Shop Only on Trusted Sites: Stick to well-known, reputed e-commerce platforms with clear HTTPS and verified seller badges.
2. Check URL Carefully: Look for small variations or suspicious characters in web addresses.
3. Avoid Public Wi-Fi: Never enter payment details over unprotected Wi-Fi networks.
4. Don’t Click Random Links: Avoid clicking payment or verification links sent via WhatsApp or email unless you initiated the transaction.
5. Use Virtual Cards: Many banks offer virtual or disposable card numbers specifically for online shopping.
6. Enable Two-Factor Authentication (2FA): Protect your banking apps and UPI with strong 2FA.
7. Keep Software Updated: Ensure your browsers, antivirus, and mobile apps are updated with the latest security patches.

What to Do If You've Been Targeted

• Immediately contact your bank’s fraud helpline to block the affected card and freeze any suspicious transactions.
• File a complaint with your bank’s grievance redressal mechanism and request UPI payment reversals if applicable.
• Report the incident to cybercrime.gov.in and call the 1930 cybercrime helpline for guidance.
• Change your online shopping, banking, and Aadhaar-linked passwords promptly.
• Monitor your bank and UPI accounts regularly for unauthorized activity.
• Inform your mobile service provider if you suspect SIM swap fraud to prevent further damage.
• Keep documentation of all transactions, messages, and bank communications for investigation.

Frequently Asked Questions

Q1: Can I get my money back if I lose it due to card-skimming malware?
While RBI guidelines encourage banks to refund victims of unauthorised digital transactions promptly, repayments depend on the victim reporting quickly and proving no negligence. UPI transactions have limited reversal options.

Q2: How can I tell if an e-commerce site is infected?
There’s no easy way from a user’s side. However, suspicious behavior like slow payment pages, unexpected redirects, or strange pop-ups during checkout should raise red flags.

Q3: Is using UPI safer than card payments against this scam?
UPI is generally safer due to its real-time authentication, but if malware infects the payment gateway or your device, even UPI details can be intercepted.

Stay one step ahead of these hidden scams. Before clicking payment links or entering card details on any site, verify its safety at BharatSecure.app — India’s trusted platform for spotting digital fraud and staying protected.