Magecart: How Its Attack Techniques Evolved

Shape-shifting Magecart has shown itself to be highly adaptable in its ability to compromise third-party websites, especially during the pandemic.

3 Min Read
Source: putilov_denis via Adobe Stock

Web-based cyberattacks against businesses of all sizes are on the rise. Magecart, the association of global hacking groups responsible for some of the biggest client-side data breaches in recent years, is currently the most notorious of these threats.

The modus operandi of Magecart is to compromise a third-party piece of software on a retail website, like shopping carts, checkout pages, or payment pages to steal customer data. Magecart skimmers have been detected on over 2 million global websites, and the incidence of such attacks increased by over 20% in the early days of the pandemic In the aftermath of numerous high-profile attacks on prominent e-commerce websites, we dissected these attack techniques and how they’ve evolved over the years:

Direct Supply-Chain Compromise
Supply chain compromise is a hallmark of a Magecart attack. This type of attack made headlines in the case of British Airways, Ticketmaster, and Newegg back in 2018. It’s typically executed by inserting skimming code as third-party code on the website. In most cases, methods like credential theft, SQL injection, RDP attacks, and others can be used to gain access to a third-party’s servers to inject malicious code. The code is designed to evade detection and the attacker is able to steal sensitive customer data such as payment and login information from website visitors.

More Skimming & Scamming
Magecart skimmers have been using content delivery networks and associated Javascript files for hiding their payload. Most recently, in the Focus camera hack, the attackers used a domain that closely resembled a legitimate brand or product – in this instance "," clearly chosen to look like ZenDesk’s official "" Malicious JavaScript was injected into the website, allowing the hackers to skim credit card data at the checkout.

Credit card skimmers have also injected PayPal iframes to compromise the checkout process and collect sensitive payment information from checkout pages on vulnerable websites.

Card Skimming Scripts in Favicons
This type of skimmer was first detected on several online stores running the WooCommerce WordPress plug-in in the latter half of 2020. Magecart groups used metadata of image files to hide malicious payloads in order to steal valuable payment information entered by website users. The metadata for an image file or EXIF file usually contains information regarding the date, time, location, resolution, and other camera-related details. In some cases, attackers used the copyright field of an image file to conceal malicious code.

Another technique used by hackers is to insert malware into websites through a PHP-based shell disguised as a favicon. This is done by altering the shortcut icon tags in the HTML code so that it references the malicious image file. The Web shell can then be made to run malicious credit card skimming payloads from external domains.

Taking Advantage of End-of-Life E-commerce Versions
In November 2020, more than 2,800 websites running Magento’s outdated software were hit by payment skimming code. These attacks were collectively called Cardbleed and were one of the largest-scale attacks perpetrated by the Magecart group. The attackers attempted to connect with the Magento admin panel through the Magento Connect feature and execute malware (mysql.php). The malware was then deleted after compromising a JavaScript file.

Ant & Cockroach Skimmer
This is the most commonly used technique by Magecart groups. The attack usually involves the following:

  • Distinct “loader” and “skimmer” code.

  • Regex checks to target URLs linked to checkout pages with developer tools disabled.

  • “Radix” obfuscation technique to disguise the skimming code.

The hackers also usually make slight tweaks to the malicious payload. Magecart Group 12 has recently also been linked to the insertion of cryptocurrency mining code on compromised websites.

Magecart attacks have gotten more sophisticated and elusive to track, and e-commerce businesses are facing increasing pressure to safeguard their websites against these threats. With the holiday season looming, websites are more prone than ever to coordinated campaigns executed by these attackers. The good news is that there are many solutions available in the market to detect or protect against these attacks, and organizations must make it a priority to include Magecart prevention in their security strategy.

About the Author(s)

Swapnil Bhalode

CTO, Tala Security

Swapnil is Tala Security’s Chief Technology Officer. Swapnil has over 14 years of experience in researching and building security technologies. He started his career as a Security Consultant at Ernst & Young, followed by extensive work in the threat research and response teams at Microsoft, Symantec and Dell. Swapnil holds a Master’s Degree in Computer Science from Syracuse University and Bachelor’s degree in Computer Engineering from the University of Mumbai.

Surabhi Sinha

Senior Product Manager, Tala Security

Surabhi is a Senior Product Manager at Tala Security with over 6 years of experience in consulting and product management at Tala, Cisco and PwC. At Tala, she focusses on client side security as well as data privacy solutions for the modern web. She holds a Master’s Degree in Product Management and Design from Carnegie Mellon University and a Bachelor’s in Computer Science from Birla Institute of Technology, India.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights