Magecart’s ‘shotgun approach’ to payment card theft is wreaking havoc on e-commerce sites

Flashpoint detailed an active Magecart-style campaign sweeping up data from more than 100 sites.

It’s a good time to be in the credit card-stealing business.

Hacking associations like Magecart — a loose collection of at least 12 groups that specialize in skimming payment data from digital checkout pages — are carrying out more efficient attacks to walk off with online shoppers’ data. By injecting malicious code into vulnerable e-commerce systems in anywhere from the payment system Magento to advertisements and analytics pages, thieves are able to exfiltrate payment information without detection.

Before scammers hit Amazon’s CloudFront content delivery network last week and Forbes magazine in May, Magecart was best known for shaking down popular sites like Ticketmaster and British Airways. Each group relies on different techniques, ranging from exploiting server vulnerabilities to using unique skimming code and, in the case of Group 5, which was blamed for the Ticketmaster breach, hacking third-party suppliers.

“It’s like a shotgun approach to mass compromise,” said Yonathan Klijnsma, a threat researcher at RiskIQ who has been tracking these groups for years.


RiskIQ is monitoring at least 12 other unclassified groups that have not been publicly identified, Klijnsma said, but exist in part because so many of these skimming tools are available on cybercriminal forums.

“It’s just so easy to get into this,” he said. “You buy one of these skimming kits for a few hundred bucks and sit back and wait for the cards to come in.”

The name originated with RiskIQ researchers in 2015 who noticed that thieves were modifying the mage.php code in Magento websites’ cart sections, Klijnsma said.

“For us, ‘Magecart’ is just the concept of web skimming,” he added. “‘Magecart’ was a good name to spread to get some attention on it.” 

One reason the attacks remain so successful is because the skimmer codes work against any generic website that processes payments, rather than only shopping-focused content management systems like Magento, Open Cart and others. In the past, thieves with an exploit affecting Magento could only hit those systems, whereas now they can inject code into third parties without hacking. Then, the malware works like a physical card skimmer: sweeping up account numbers, names, addresses and other data that’s valuable on dark web markets.


Generalized skimming code means any kind of site performing payments is a target. Last week, threat researchers from Fortinet detailed a campaign that stole 185,000 payment card details in this way.

Attacks underway

Now, card thieves are using a new Magecart-style attack to actively steal information from at least 105 websites. Known as a JS-sniffing tool, the malware, dubbed “Inter,” generates a custom collection code that uses a JavaScript file to collect information from sites that use the Magento, OpenCart or OSCommerce payment platforms. It was first available in December for $1,300 in Russian-speaking criminal forums and now is being marketed for $900, according to Joshua Platt, a researcher at the risk intelligence firm Flashpoint.

Traditionally, JS-sniffers cost between $100 and $150, Platt said, but Flashpoint researcher began finding more examples of the Inter tool when the price went to $900 in part because it could be more effective than better known tools that have been used for longer.

“It’s a universal sniffer,” he said. “Inter is a panel in the Magecart family. Subgroups can use the same backend sniffers and customer sniffers, and it varies. But it’s difficult to link the [specific] Magecart instances with the sniffer tools they’re using.”


But it’s clear these groups are multiplying, and becoming more efficient. If there are roughly a dozen defined Magecart groups in action, then that’s just a fraction of the dozens of JS-sniffer families chipping away at websites’ payment sections. Researchers at the security vendor Group-IB in April suggested 38 families of JS-sniffers were collecting information from 2,440 hacked websites that received 1.5 million unique visitors every day.

Some of those families included code that could detect if a website visitor had an open developer console in their browser, a possible indication that visitor could be a security researcher conducting an analysis of an infected website via a developer console. In that case, the sniffer would remain silent and avoid detection, said Viktor Okorokov, a threat intelligence analyst at Group-IB. It’s just one example, he said, of companies’ inability to protect the ecosystem cybercriminals rely on to earn money.

“They work hard,” he said.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts