New Magecart Skimming Network Targets Global Payment Providers on E-commerce Websites, Including Mastercard, American Express
Published
Key Takeaways
- Extensive Campaign: A long-term, ongoing web-skimming campaign has been uncovered, targeting global e-commerce platforms.
- Targeted Providers: The operation explicitly targets major payment networks, including American Express, Mastercard, Diners Club, Discover, JCB Co., Ltd., and UnionPay.
- Attack Vector: Highly obfuscated JavaScript is injected into the checkout pages of compromised webshops to intercept and exfiltrate card details and other personal data.
A vast and sophisticated Magecart skimming network is responsible for a multi-year campaign of online credit card skimming, compromising legitimate e-commerce websites by injecting malicious code that steals customer payment information during checkout. The attackers also deploy advanced obfuscation techniques.
Magecart initially referred to a coalition of cybercriminal groups targeting web shops that used the e-commerce software Magento, but it later expanded to encompass nearly all web-based skimming incidents.
Attack Methodology and Targeted Networks
This campaign has been active since at least early 2022, and cybersecurity analysts at SilentPush have discovered that the attack initiates when a user accesses the checkout page of a compromised online store.Â
The malicious script, often disguised as a legitimate service such as Facebook, uses JavaScript API to detect modifications made to the Document Object Model (DOM) and trigger the web skimmer to reattempt execution, replacing the legitimate payment form with a fraudulent one.Â
Stripe fake forms are meticulously styled to match the legitimate site, even including features like card brand recognition to enhance their appearance of authenticity. The skimmer captures all data entered into the checkout fields, including names, addresses, and credit card details.
The primary targets of this campaign are enterprise clients and customers of major payment networks, such as:
- Mastercard
- American Express
- JCB Co., Ltd.
- Diners Club
- Discover
- UnionPay
Cybersecurity for Online Shoppers and Vendors
This Magecart skimmer employs evasion tactics, such as deactivating itself if it detects a logged-in website administrator, thereby prolonging its presence on a compromised site. For consumers, the only indication of an attack may be a payment error on the first attempt, which most users attribute to a typo.Â
To mitigate these threats, vendors are urged to implement a strict Content Security Policy (CSP) and comply with PCI DSS standards. Consumers should use security tools that block malicious scripts and be wary of any unusual behavior on checkout pages.
In February 2024, another MageCart campaign targeted payment card data on Magento websites. Sucuri reported earlier this month that fake browser updates target WordPress administrators via the Modern Recent Posts plugin.Â
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular