Magecart attacks becoming more stealthy: ongoing campaign report

Newly discovered attacks show the bigger scale of the Magecart infrastructure campaign

Magecart attacks not stoppingNew campaigns of card skimming show links to 2021 attacks

These newly reported Magecart skimming campaigns show many similarities with the previous attack campaign dating to the end of 2021. The infection shows activities similar to the campaign back in November 2021.[1]

Previously these campaigns were making headlines and became the hottest topic on cybersecurity, but regardless of the lower coverage, this is still a major problem.[2] Magecart attacks are not that large in numbers these days but becoming more and more stealthy.[3] Issues are now related to the potential server-side blindspot in tracking them too.

Two particular malware domains were reported and linked with these Magecart attacks. Domains hosting credit card skimmer code as a part of the broader infrastructure used to carry out these intrusions.

Researchers managed to connect these domains to the previous attack campaigns in 2021 that showed the first instances of the skimmer that affected virtual machines. Both of these domains are now devoid of the VM detection code, and it is unclear why these attackers removed it.

Magecart attacks are not stopping

Magecart is the cybercrime syndicate comprised of many subgroups that particularly focused on cyberattacks involving digital credit card theft. It happens by injecting JavaScript code on e-commerce storefronts – mainly checkout pages. Credit-card skimming[4] attacks can be exploited by attackers in the backend content management systems of websites or third-party dependencies.

These campaigns reportedly show that domains included in the activities date back to May 2020. Researchers also discovered an additional infrastructure related to the ongoing campaign. The list of uncovered domains is confirmed to be malicious and connected to previous skimmer activity.[5]

The injected code that is embedded in the payment section of the website harvests card details and sends those details that the client puts into the attacker-controlled server. These attacks started to make headlines back in 2015 for the Magento e-commerce platform. Then these attackers expanded to other alternatives like the WordPress plugin named WooCommerce.

The market for stolen credit card details

Even though these Magecart attacks are not at those rates that were common a few years back, these reports from threat intelligence researchers state that the market for the particular stolen credit card information is still considered worthwhile. These new operations show that campaigns are widely spread.

Hackers use these breached or stolen details for later attacks, and scams. Also, threat attackers rely on stolen credit card information and make money directly from victims' accounts stealing funds from simple people who fell for scams on hacked e-commerce sites.

Multiple researchers reported those hosts that are malicious and connected to hacked online stores. A full investigation showed that all these reported domains are linked to the large campaign. Attackers like this follow the money, so they often shift to the most popular e-commerce platforms on the web.

However, there are other types of information that could be considered valuable, as well as those credit cards. Crypto wallets and digital assets are more valuable these days. It is possible that scammers and attackers responsible for these campaigns might shift there too.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions