Magecart Attacks Continue to ‘Skim’ Software Supply Chains


Has your business or e-commerce business recently purchased third-party software from a value-added reseller (VAR) or systems integrator? Have you checked the vendor code? Otherwise, you might be at risk of a Magecart group attack.

Magecart is an association of threat actor groups that target online shopping carts, primarily from the Magento e-commerce platform. The name Magecart is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is particularly dangerous because it only takes one line of code to steal payment card data.

Magecart attacks can compromise third-party software from a VAR or systems integrator. Recently, they have infected a variety of supply chain processes.

Let’s take a closer look at this malicious attack vector and how it evolves over time. Later, we’ll explore ways to protect your business and customers from Magecart attacks.

Magecart: a single line of code

In 2015, Magecart made global headlines with a series of high-profile attacks targeting big names in airline, ticketing and retail.

In the classic Magecart attack, hackers insert a single line of malicious code, like a JavaScript sniffer. Once installed, each time a user accesses the shopping cart or checkout page of the compromised website, the code downloads the JS sniffer. From there, attackers can intercept any information entered on the page and send the data to the attacker.

This type of credit card number decoder attack is also known as credit card skimmer, digital skimmer, web skimmer, or formjacking.

Magecart can browse anything entered into an online data form, such as card numbers, expiration dates, CVC codes, names, addresses, phone numbers, email addresses, etc This data can then be used for identity theft or fraud. In other cases, it ends up for sale on the darknet.

Move to Third-Party Targets

In the beginning, Magecart targeted specific companies large and small. More recently, attackers have pivoted to target advertising supply chains. Researchers have detected skimming scripts on thousands of websites of all kinds, from flight booking services to retail, cosmetics, healthcare and clothing companies.

In this version of the attack, instead of specific companies, threat actors target vendors who provide code that improves website functionality. For example, web-based adware providers work with thousands of clients. This means that the vendor spreads the infected code for the attackers unknowingly.

Anyone who relies on a third-party vendor for some of their website code is at risk. If you drop code for analysis, you can also insert the Magecart payload into your website.

More recently, attackers have even used hosting services as vectors to infect customer sites with Magecart. The attackers also hide the malicious code by hiding the script in the metadata of image files or genuine CSS files. As a detection technique, some even search for an online steganography decoder service to try to reveal the hidden code.

Magecart Supply Chain Threat

As mentioned, for every third-party software vendor, there may be another Magecart attack. For example, a single provider can provide ticketing, touring, and reservation services to hundreds of customers. Then attackers could compromise any type of media or entertainment site due to infected code. Infected content can also arrive via a Content Delivery Network (CDN). In essence, any website that conducts online transactions or collects user data could be hacked by Magecart.

When Magecart first appeared in 2015, the main target was Magento open source e-commerce platforms. Today, the threat is increasingly widespread in a wide variety of software categories. A multifunctional script has been discovered to skim data from a whopping 57 different payment platforms.

Ant and cockroach skimmer

Groups of magecarts most often use the technique of ants and cockroaches. This involves the following:

  • Separate ‘loader’ and ‘skimmer’ code
  • Checks target URLs linked to payment pages with dev tools disabled
  • “Radix” obfuscation technique disguises skimming code
  • Attackers often make slight modifications to malicious code to avoid detection.

Magecart attacks continue to grow in range and sophistication. E-commerce and supply chain companies face increasing pressure to protect their websites from these threats.

Stop Magecart Attacks

Although there is no magic formula to prevent skimming attacks, there are tools and strategies that can help improve and strengthen your security.

Zero Trust

Consider adopting a zero-trust approach with JavaScript on your sites. It starts with a policy to block access by default to any sensitive information entered into web forms and stored cookies. From there, only a select set of approved scripts (mostly those you create and/or own) are allowed to access sensitive data. If malicious skimming code infects your site, it is less likely to access sensitive information.

Third-party risk management

Directed third-party risk management creates a centralized, tightly mapped structure of the third-party risk hierarchy, including risks, controls, locations, and regulations. These models support the categorization of third parties based on risk, criticality, and other factors. Configurable methodologies can assess and score inherent and residual third-party risks. This includes capturing detailed vendor risk data, including severity, impact, mitigation plans, and other issues.

Sub-asset integrity

Sub-resource integrity allows browsers to verify that the resources they fetch are delivered without unseen manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource should match.

Sub-asset integrity allows you to mitigate the risk of an attack by ensuring that the files your web application or web document retrieves (such as from a CDN) have arrived without a third party. has injected additional content or modifications into these files.

Content Security Policy

Content Security Policy is an additional layer of security that helps detect and mitigate certain types of attacks, including cross-site scripting and data injection attacks. These attacks are used for everything from data theft to defacing sites to distributing malware.

Protect your business and your customers

The worst thing you can do is pretend Magecart attacks don’t exist or think you can’t be affected. If you use third-party software to collect data from your site, it’s worth looking into protection efforts against Magecart.


Comments are closed.