Magecart Hackers Hijack eStores Checkouts to Steal Card Data
.webp)
Basically, hackers are stealing credit card info from online stores using fake checkout pages.
A sophisticated Magecart campaign has been stealing payment card data from e-commerce sites for over two years. This operation affects banks and cardholders the most, leading to significant fraud losses. Security teams must enhance monitoring and defenses to combat this persistent threat.
What Happened
A sophisticated Magecart campaign has been operating for over two years, infecting e-commerce websites across at least 12 countries. This operation utilizes more than 100 malicious domains to steal payment card data in real time. Security researchers from ANY.RUN uncovered this large-scale operation, which has targeted numerous WooCommerce sites, particularly in regions like Spain and the United States. While e-commerce merchants are the initial targets, the financial fallout primarily affects banks and cardholders, leading to significant fraud losses.
The campaign has remained undetected for an extended period, highlighting the organized nature of this cybercrime. The attackers have employed a multi-stage infection chain designed to evade detection, ensuring that their malicious activities can continue even if individual components are taken down. This level of sophistication indicates a shift towards more persistent and infrastructure-driven operations.
How It Works
The attack begins with the compromise of a WooCommerce site, where attackers inject a small, obfuscated JavaScript loader into existing script files. This loader does not contain any card-stealing logic initially; instead, it retrieves a JSON configuration payload from external domains. This approach allows the attackers to dynamically load subsequent malicious stages while maintaining a low profile.
Once the checkout page is reached, the loader replaces the legitimate payment button with a fake one, effectively hijacking the payment interface. The attackers have meticulously crafted their scripts to mimic trusted payment service providers, such as Redsys, to enhance credibility. This high-fidelity impersonation is crucial for tricking unsuspecting users into entering their card details into the spoofed form.
Who's Being Targeted
Victims of this campaign include e-commerce merchants and their customers across various countries, including the United Kingdom, Denmark, France, and Spain. The operation's focus on the Redsys payment ecosystem in Spain has led to a significant concentration of attacks in that region. While merchants are the initial access points, the primary financial damage is inflicted on banks and cardholders, who face the brunt of fraud losses and eroded trust in digital payment systems.
The attackers have also expanded their reach by targeting mobile users. When accessing infected stores on mobile devices, users may encounter prompts offering discounts in exchange for downloading malicious apps. This tactic further broadens the attack surface and reinforces the campaign's organized nature.
How to Protect Yourself
For security teams, it’s essential to monitor outbound WebSocket connections from checkout pages, as these are often overlooked by conventional security measures. Implementing strict Content Security Policies (CSP) and conducting regular audits of third-party scripts can also mitigate risks. Additionally, JavaScript file integrity monitoring can help detect unauthorized changes to scripts.
Financial institutions should focus on proactive threat intelligence sharing and enhance fraud detection mechanisms for card-not-present transactions. By staying vigilant and adopting these defensive strategies, organizations can better protect themselves against this evolving class of payment threats. The Magecart campaign serves as a stark reminder of the persistent and adaptive nature of cybercrime in the digital age.