Highly Covert Card-Skimming Malware Infects E-commerce Sites — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 19, 2026

Severity: CRITICAL | View Full Scam Details

Beware in 2026: Highly Covert Card-Skimming Malware Infects Indian E-commerce Sites

A dangerous new card-skimming malware is silently stealing payment details from shoppers on Indian e-commerce websites, putting your UPI and card data at critical risk.

What Is the Highly Covert Card-Skimming Malware Infects E-commerce Sites?

In 2026, Indian online shoppers face a rising cyber threat — a highly covert card-skimming malware that targets e-commerce platforms. This scam specifically infects well-known and frequently visited online stores by embedding malicious code directly into their payment processing pages. Unlike traditional phishing where you might be tricked into visiting a fake website, this malware lurks inside genuine e-commerce portals, making detection difficult.

The malware is especially dangerous because it captures sensitive payment details such as credit/debit card information or UPI credentials during checkout without alerting users. The stolen data is then silently sent to scammers who may misuse the details for fraudulent transactions or sell them on the dark web.

Authorities like the Reserve Bank of India (RBI) and the Indian Computer Emergency Response Team (CERT-In) have raised alerts regarding the increasing frequency of card-skimming and supply chain attacks on Indian e-commerce sites. The Indian government’s Inter-Departmental Cyber Coordination Centre (I4C) is monitoring such scams closely, emphasizing the need for robust online transaction vigilance.

This scam affects all age groups and segments of internet users in India, especially those comfortable shopping on popular marketplaces and retail portals. As digital payments through UPI and cards grow further in Indian metros and smaller cities alike, this menace is spreading deeper.

How This Scam Works — Step by Step

1. Targeting the Website: Fraudsters first identify an e-commerce website that uses vulnerable plugins, outdated CMS software, or unsecured FTP servers. They exploit these weaknesses to inject malicious JavaScript into the checkout or payment pages.

2. Stealthy Malware Deployment: The malware stays dormant and invisible to site admins and users, avoiding detection by common website security tools. It only activates when a shopper enters payment information.

3. Data Capture at Checkout: When you enter card details or click to pay via UPI during checkout, the malware captures these inputs in real time — including card numbers, CVV codes, UPI PINs, or OTPs.

4. Data Exfiltration: The stolen data is sent to the scammer’s server silently in the background. Because the malware runs on the legitimate website, neither shoppers nor site owners notice any abnormality.

5. Exploitation of Stolen Data: Scammers use the payment data for unauthorized purchases, sometimes adding SIM swap fraud or Aadhaar-based identity theft to bypass OTP authorization or two-factor authentication.

6. Social Engineering For Entry: In some cases, scammers call or WhatsApp victims posing as bank or e-commerce representatives, creating urgency to extract additional details or OTPs, increasing the damage.

This multi-layered approach helps cybercriminals harvest large volumes of genuine payment credentials from Indian shoppers without raising immediate alarms.

Real Warning Signs to Watch For

• Unexpected or unsolicited calls/WhatsApp messages asking for OTP or card details during or after your transaction
• Slow website loading or frequent payment page timeouts on otherwise trusted shopping sites
• Frequent test purchase failures or order confirmation delays on your usual e-commerce platforms
• Receiving bank alerts for transactions you did not initiate shortly after online shopping
• Suspicious URLs or payment pages that do not use HTTPS or have incorrect SSL certificates
• Requests for unusual payment methods or redirection to third-party payment gateways outside recognized UPI apps or card networks
• Multiple login attempts or unknown device activity on your payment apps or online banking portals soon after shopping

What Happens to Victims

Victims often experience immediate financial losses due to unauthorized transactions debited from their linked bank accounts or credit cards. Since UPI payments can be instant and irreversible if users share OTPs or PINs due to scams, fraudulent withdrawals drain balances quickly.

Beyond money, victims face emotional distress and loss of trust in digital payments, which can disrupt their daily activities. The misuse of Aadhaar or SIM swap techniques in conjunction with this malware means victims may also suffer identity fraud, making it difficult to reclaim stolen funds or repair credit history in India. Victims frequently report long delays and opaque processes while seeking refunds or blocking compromised payment channels.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) classifies card-skimming malware attacks as critical cyber fraud threats. RBI’s guidelines emphasize that banks and payment gateways must implement real-time transaction monitoring and multi-factor authentication to protect consumers. RBI also advises users not to share OTPs or PINs with anyone and to immediately report suspicious transactions.

CERT-In has issued advisories recommending that e-commerce companies regularly update website software, secure FTP connections, and conduct security audits to prevent code injection. CERT-In’s 1930 cybercrime helpline offers assistance to victims of online payment fraud.

Meanwhile, the Inter-Departmental Cyber Coordination Centre (I4C) collaborates with state cybercells to investigate incidents and spread awareness about online shopping frauds.

How to Protect Yourself

1. Only shop on verified and official e-commerce websites with secure HTTPS pages.
2. Avoid public or unsecured Wi-Fi when entering payment details online.
3. Never share OTPs, PINs, or Aadhaar details over calls or WhatsApp—even if the message appears official.
4. Keep your smartphone’s OS and apps (including UPI apps) updated with the latest security patches.
5. Use multi-factor authentication wherever available on payment and banking apps.
6. Monitor bank SMS alerts instantly and notify your bank at the first sign of suspicious transactions.
7. Use virtual cards or limited-use cards provided by your bank for online purchases to reduce risk exposure.

What to Do If You've Been Targeted

1. Immediately contact your bank’s fraud helpline to block the affected card or payment method.
2. Report the incident to the 1930 cybercrime helpline run by CERT-In for guidance and investigation support.
3. File a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in, detailing the scam.
4. Change all related passwords and PINs, especially for UPI apps and online banking.
5. Inform your mobile operator if you suspect SIM swap or unauthorized SIM activity.
6. Keep all transaction records and communication with scammers to assist law enforcement.
7. Regularly check your bank statements and credit report for unauthorized activities.

Frequently Asked Questions

Q: How can I be sure a website is safe before making payments?
Check that the website uses “https://” with a valid SSL certificate and avoid clicking on shopping links from unsolicited messages. Stick to well-known Indian e-commerce platforms with secure payment gateways.

Q: Can RBI help me recover money lost due to card-skimming malware?
RBI mandates banks to have dispute resolution mechanisms. While recovery depends on investigation outcomes, prompt reporting improves your chances of getting refunds.

Q: Is UPI safe in this scam, or should I avoid using it online?
UPI remains safe if you never share OTPs or UPI PINs on calls/messages. Use official apps only and avoid entering payment details on suspicious or unsecured websites.

Always double-check suspicious messages, calls, or websites with BharatSecure.app before responding or sharing any payment info. Protect yourself and your money from evolving scams in India’s digital world.