Summary Points
- A sophisticated Magecart campaign has been active for over 24 months, infecting e-commerce sites across at least 12 countries using over 100 malicious domains to steal payment card data in real-time.
- The attack employs layered, multi-stage injections, replacing legitimate payment interfaces with convincing fake forms, including mimics of Redsys and PayPlug, to deceive victims globally.
- Data exfiltration occurs via encrypted WebSocket channels, making detection difficult, and the campaign also delivers malicious payloads for mobile downloads, targeting mobile users in multiple languages.
- Financial damage primarily impacts banks and cardholders through downstream fraud, emphasizing the need for monitoring outbound WebSocket traffic, enforcing security policies, and proactive threat sharing.
The Core Issue
Over the past two years, a sophisticated Magecart campaign has stealthily targeted e-commerce websites across at least 12 countries, including the United Kingdom, Denmark, France, Spain, and the United States. Security researchers at ANY.RUN discovered that this operation infects multiple WooCommerce sites by injecting obfuscated JavaScript loaders capable of delaying their activation, thereby avoiding detection. Once a site is compromised, the attackers replace legitimate payment buttons with fake ones, intercepting payment details as customers enter them. The malicious scripts mimic trusted payment providers like Redsys with high fidelity, and exfiltrate stolen card information through encrypted WebSocket channels—an evasive technique that intelligence agencies and security tools often overlook. Notably, the campaign has evolved into a complex, multi-stage infrastructure, capable of maintaining persistence even when parts are taken down, and has expanded its reach to mobile platforms via malicious APK files.
This operation’s sophistication explains why banks and cardholders bear most of the financial burden, as stolen card data fuels fraud losses and erodes consumer trust. The campaign’s meticulous planning, including infrastructure resembling legitimate services and multiple fallback mechanisms, indicates a highly organized cybercriminal effort rather than opportunistic crime. Researchers from ANY.RUN report these findings, warning financial institutions and security teams to bolster defenses—such as monitoring outbound WebSocket connections, enforcing strict content policies, and auditing third-party scripts—to prevent further damage. Meanwhile, the campaign’s focus on persistent, infrastructure-driven attacks exemplifies an alarming shift in cybercrime tactics—posing ongoing challenges for detection and mitigation.
Security Implications
The Magecart hackers have recently expanded their reach by using over 100 domains to target e-commerce stores. This sophisticated tactic allows them to hijack checkout pages and steal sensitive card information directly from customers. Consequently, any online business that processes payments is at risk, regardless of size or popularity. If your site is compromised, customers lose trust, and sales decline sharply. Moreover, the damage extends beyond immediate financial loss; your brand reputation can suffer long-term harm. Therefore, it is crucial to understand that such attacks are not isolated incidents but ongoing threats. As a result, businesses must stay vigilant, strengthen security measures, and monitor their websites continuously. Otherwise, they risk falling victim to this pervasive cyber threat, with devastating consequences.
Possible Next Steps
Timely remediation in cyber security is crucial to protect sensitive customer data, maintain trust, and prevent significant financial losses. When facing threats like Magecart hackers hijacking eCommerce checkouts through over 100 malicious domains, swift and effective response is essential to minimize damage and restore secure operations.
Detection & Monitoring
- Implement continuous network and web traffic monitoring to identify suspicious activity.
- Utilize threat intelligence feeds to stay updated on known malicious domains and behaviors.
Containment
- Isolate affected systems and disable compromised checkout pages immediately.
- Block malicious domains and IP addresses at the firewall level.
Remediation
- Remove malicious scripts and malware from compromised eCommerce platforms.
- Restore compromised checkout components from trusted backups.
Patch & Update
- Apply security patches to all web and eCommerce software components.
- Update third-party plugins and scripts to the latest, secure versions.
Verification
- Conduct thorough testing to confirm the threat has been neutralized.
- Utilize penetration testing and vulnerability scans post-remediation.
Communication
- Notify affected customers about the breach and remediation efforts.
- Report the incident to relevant regulatory and law enforcement authorities.
Prevention & Hardening
- Enable multi-factor authentication for administrative access.
- Implement strict Content Security Policies (CSP) to block unauthorized scripts.
- Regularly audit code and configurations to identify potential vulnerabilities.
- Educate staff about phishing and secure coding practices.
By adhering to these steps, organizations can effectively mitigate Magecart attacks, safeguard customer data, and strengthen their security posture in line with NIST CSF principles.
Explore More Security Insights
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
