Background
Magecart is an umbrella term for a loose consortium of cybercriminal groups that share a common attack methodology: injecting malicious JavaScript code into e-commerce websites to silently steal payment card data entered by shoppers. Rather than a single coordinated group, Magecart encompasses numerous independent threat actors who have adopted and refined the same web skimming technique since at least 2015.
Security researchers at RiskIQ first coined the Magecart name and have identified at least 12 distinct groups operating under this methodology, ranging from opportunistic automated scanners compromising thousands of small merchants to sophisticated targeted operations against large enterprises. The groups differ in sophistication, targeting, and monetization but share the core technique of JavaScript-based card skimming at the point of data entry.
The collective impact of Magecart operations is extraordinary. Conservative estimates suggest tens of thousands of e-commerce sites have been compromised, with skimmer code silently harvesting payment cards from millions of consumers. Stolen card data is sold on dark web marketplaces or used for fraudulent purchases. The technique is particularly insidious because compromised sites show no visible signs of tampering, and infections can persist for months before detection.
Notable Campaigns
British Airways (2018): Magecart Group 6 compromised British Airways' booking system for 15 days, skimming payment data from approximately 500,000 customers. The attack injected malicious code directly into the airline's website and mobile app, targeting the checkout flow. The UK Information Commissioner's Office issued a £20 million fine (reduced from an initial £183 million) for GDPR violations. This campaign demonstrated Magecart's capability to target large enterprises with custom, tailored skimmers.
Ticketmaster (2018): Magecart actors compromised a third-party chatbot supplier (Inbenta Technologies) whose JavaScript widget was embedded on Ticketmaster's payment pages. The supply chain attack affected approximately 40,000 UK customers. This campaign established the supply chain JavaScript injection technique as a high-leverage vector for reaching multiple large merchants through a single compromised vendor.
Newegg (2018): A Magecart group registered a lookalike domain mimicking Newegg's payment processing CDN and injected a 15-line skimmer into the checkout page. The attack lasted approximately one month and affected customers making purchases during that window.
Macys.com (2019): Magecart actors injected skimmer code directly into Macys.com through a compromised third-party tag management system, exposing checkout and wallet page visitors for a 7-day period before detection.
Hundreds of Shopify and Magento Stores (2019-2023): Multiple Magecart groups ran automated scanning and exploitation campaigns against Magento-based stores and Shopify apps, injecting skimmers via compromised plugins, admin panel credential stuffing, and supply chain attacks on third-party app developers.
Tactics, Techniques & Procedures
Magecart groups use three primary attack vectors. In direct injection attacks, threat actors compromise the target website directly by exploiting CMS vulnerabilities (Magento, WooCommerce), credential stuffing admin panels, or exploiting server-side vulnerabilities. Skimmer JavaScript is then injected into payment pages.
In supply chain attacks (T1195.002), groups compromise third-party JavaScript libraries, analytics providers, chatbots, or CDN-hosted scripts that are included on target checkout pages. A single compromised vendor can affect hundreds or thousands of downstream merchant sites simultaneously.
Skimmer JavaScript is designed to blend with legitimate page code (T1036.005) and is typically obfuscated (T1027) to evade static analysis. The malicious code intercepts form submit events on payment pages, clones the submitted data (card number, CVV, expiration, billing address), and exfiltrates it to attacker- controlled servers via image pixel requests or XHR calls (T1071.001) to domains that mimic legitimate analytics or CDN providers.
Tools & Malware
- JavaScript Skimmers: Custom and re-used JavaScript payloads injected into payment pages, ranging from simple form interceptors to sophisticated multi- stage loaders that evade CSP and script blocking.
- Shimmer Malware: A more advanced skimmer variant that targets the Magento platform's payment iframe specifically.
- Domain Squatting Infrastructure: Magecart groups register domains that
closely resemble legitimate CDN and analytics providers (e.g.,
google- analytics[.]cminstead ofgoogle-analytics.com) to host skimmer scripts and receive exfiltrated data. - Malicious CDN Domains: Compromised or attacker-controlled CDN domains used to host and serve skimmer payloads to targeted merchant sites.
Indicators & Detection
Detection of Magecart activity requires monitoring both at the website code level and the network transaction level. Implement Subresource Integrity (SRI) hashing on all third-party JavaScript includes so browsers can detect unauthorized script modifications. Deploy Content Security Policy (CSP) headers with strict script-src and form-action directives to block unauthorized JavaScript execution and data submission to unknown destinations.
Regularly audit all JavaScript loaded on payment pages, including third-party
tags, chatbots, analytics scripts, and CDN-hosted libraries. Use automated tools
to detect changes to payment page content. Monitor for new script tags or
fetch()/XHR requests originating from checkout pages that target external
domains.
Server-side, implement file integrity monitoring on web application assets and alert on any modification to payment-related JavaScript files. Review and minimize third-party script dependencies on checkout flows — every third-party script is a potential supply chain attack surface. PCI DSS 4.0 explicitly requires script inventory and integrity controls on payment pages, reflecting the industry-wide recognition of the Magecart threat.