Data Security, Threat Management, Malware

Magecart attacks persist, but operate more covertly to steal data

Magecart attacks continue to operate to steal payment data, albeit more covertly, according to Malwarebytes. Pictured: Visa credit cards are arranged on a desk Feb. 25, 2008, in San Francisco. (Photo by Justin Sullivan/Getty Images)

Magecart attacks are around in a more covert way despite their numbers decreasing over the past few months, according to new findings provided by Malwarebytes.

Malwarebytes researcher Jérôme Segura said in a June 20 blog post that the threat of client-side Magecart attacks is still "worthwhile," and the newly discovered campaign has shown connections with "a pretty wide infrastructure."

After Sansec reported a Magecart skimmer domain on June 9, and another security researcher tweeted a suspected host on June 12, Malwarebytes researchers determined the two domains have connections to a larger campaign from last year that involved a skimmer with virtual machine detection capability. While reasons are unknown, threat actors removed VM detection code from both domains.

A Magecart attack is a type of cybercrime that applies online skimming techniques to steal personal data from websites, mostly targeting customers' payment details on online stores and ecommerce platforms.

Hackers using a Magecart attack insert malicious JavaScript code to collect customers' information — including credit card numbers, expiration dates, CVV/CVC codes, names, addresses, phone numbers — when they land on a website's shopping cart or checkout page. Hackers can then use the information to conduct fraud or trade on the dark web.

While Magecart became active in 2015 for attacking ecommerce platform Magento, it has evolved over time to target a wide range of web environments and payment platforms, including WooCommerce, an open-source WordPress plugin used by many online retailers.

WordPress with WooCommerce plugin has outpaced Magento as of July 2021 in terms of attacks, with credit card skimmers hiding in the fake images or Telegram channel, according to several recent reports published by Sucuri.

A lack of visibility on server-side is one of the biggest challenges in monitoring Magecart attacks.

“If the Magecart threat actors decided to switch their operations exclusively server-side, then the majority of companies, including ours, would lose visibility overnight,” Segura commented. “This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it.”

According to ZDNet, Cloudflare launched a client-side security solution called Page Shield last year to confront Magecart attacks. Its first available feature, Script Monitor, can check third-party JavaScript dependencies and record any new changes over time. The company has also worked to obtain JavaScript samples, hoping to alert clients more accurately in the future.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.