Magecart campaign -card stealer, online shopping no more secured

Card Skimming Threat to e-commerce platforms

According to RiskIQ, Magecart has been attacking online companies since 2016. Its modus operandi is to insert malicious code in the websites of these companies in order to steal their customers’ data when they make a purchase. This technique is called digital skimming. RiskIQ has identified so far, at least 6,400 sites have been affected.

What is Magecart ?

Magecart is a group of malicious hackers, who target online shopping cart systems, usually the Magento system, to steal customer payment card and other personal-financial information.

how it works ?

Magecart-card skimming attack is conducted in several phases.


Magecart mechanism

1) Gaining access of the e-commerce website.

It can be done by either taking control of an entire infrastructure or unpatched server and placing a skimming code there. Or, they will go after one of your third-party vendors (plugins, malicious advertising), especially if they are an easier target and infect a third-party tag that will run a malicious script on your site when it is called in the browser.

Generally, most of the compromised e-commerce websites were found to be running on an old version of Magneto, that are vulnerable to published exploits. Many of the compromised sites were found running version 1.5, 1.7, or 1.9. The arbitrary file upload, remote code execution, and cross-site request forgery vulnerabilities all affect Magento version 2.1.6 and below.

Magecart are known to exploit vulnerabilities similar to described in CVE-2016-4010.

2) Stealing sensitive information.

The skimming code is used for stealing card details. Skimming code is mostly in the form of javascript embedded in the website source code. These java scripts are coded to intercept the card and other financial inputs into compromised e-commerce websites.

Malicious Javascript can be served in numerous forms like:

Google-analytics disguised script:


Script is replacing the legitimate domain with googlc-analytics[dot]cm


Script jqueryextd[.]at/5d7c50e85111d[.]js embedded in an e-commerce site


Card Skimmer link embedded in e-commerce website: www[.]jungleeny[.]com

3) Sends intercepted information to C2 servers

This is the easiest part of the entire campaign. Once the hacker gains access to your website and intercepts the data they want—it’s checkmate. They can send intercepted information from the end users browsers to almost any location on the internet.

In nutshell, when an user visits the compromised e-commerce site and makes any purchase by entering their card details like (card number, otp, CVV, name, expiry date etc) every detail entered in the purchase form is being intercepted with malicious JS or skimmer gate domain embedded in the website. All this intercepted information is then transmitted to C2 servers across the internet leaving you vulnerable.

Some of the website which became victim of magecart campaign recently were:

  • janmarini[dot]com/
  • jungleeny[dot]com
  • www[dot]salonsavings[dot]com/
  • majorsurplus[dot]com
  • www[dot]gradshop[dot]com
  • www[dot]levainbakery[dot]com

List of domains which were compromised in past can be found here: List of websites

Wanna see some card skimmer script content [ For Educational Purposes only ]: Pastebin


For website owners:

  • Keep you CMS always updated.
  • Continuous monitoring to intercepts all of the API calls your website makes to the browser and block access to sensitive data you have not previously authorized.
  • Blacklist the IOCs or sinkhole them, so that if the site is infected it won’t be able to make a connection to blacklisted IOCs.
  • Use most reputed and well known updated plugins.
  • Use available IDS rules for magecart campaigns.

For more detailed in depth protection : Trustwave blog

For end users:

  • Always prefer using sites available on HTTPs.
  • Don’t blindly trust HTTPs, https site may also be compromised.
  • Only go for reputed e-commerce sites like Amazon, eBay. Because they have their own IT security team to look after cybersecurity incidents.
  • If you realize you have entered your details in any compromised site, reach out to your concerned financial institution and block your card.
  • Always keep an eye on your card statements, if you see any unknown transactions that may be a sign that you have been a victim of magecart card skimming.
  • If you find any website is infected with skimmer code, report it to that site owner or concerned people if possible.
  • Make sure all cards are multi-factor security enabled, every transaction should ask for an OTP.

For more detailed information:

Stay tuned with us for more cyber stuff !
Have any suggestions and Ideas for us to improve, please reach out to us 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *