MAGECART: A Rise Of Web Skimming

While online purchasing has altered the global economy, shifting from shops to digital storefronts, has also given rise to a new hidden economy growing across the globe for theft and sale of credit card data.


Every day, the threats or the vulnerability in technology draws our attention towards the new age malicious phenomenon of shadowy hacker groups. Magecart is one such group of sophisticated groups that have impacted a large set of entities in the past few years. From British Airways to Ticketmaster, all with a singular goal of stealing credit card numbers.

Magecart is a term given to a variety set of cybercriminal groups, that have unified seeking the same target: payment card details. It currently consists of at least 12 distinct groups with similar methodologies. The Magecart attack can also be called as a form of data skimming that attacks using the client-side browser as the front-door for consumer interactions. ‘Skimming‘ is a method used by attackers to illegally collect data from the magnetic stripe of a credit, debit or ATM card. This information is then used to make purchases or withdraw cash in the name of the actual account holder.


The Magecart threat came into the picture in 2015, when it began to compromise vendor websites and injecting skimmers. RiskIQ started tracking the activities as far back in early April 2015 when thousands of stores were affected during that time. Since then, numerous other groups have emerged with skimmers and the multiplication continues to this date. Some of these groups cast wide nets and hit as many vendors as possible. A few carefully cover up their skimmer and another few targets the third parties to gain access to the thousands of vendors they serve. Some limit their victims to a few high-value organizations and use specialized skimmers, domains, and attacks against them. Consequently, these threat actors and families continue to grow, evolve, and learn.


Magecart by Blarrow

Whilst e-commerce card skimming has been a problem since the early 2000s, modern Magecart movement appears to have begun with Group 1 & Group 2 in 2014/15. The two groups tricked the U.S based job seekers into shipping items purchased with the stolen credit card numbers to Eastern Europe. Group 5 was considered to be behind the recent breaches of Ticketmaster to indicate, the range of modi operandi utilized by the groups.

Recent research conducted by the IBM X-Force Incident Response and Intelligence Services (IRIS) reveals that Magecart Group 5 is testing malicious code on L7 routers. The L7 routers are used fro providing commercial Wi-Fi connectivity to users connecting to a free airport Wi-Fi, casinos, hotels, and resorts. These attacks are targeted against shopper on the US and Chinese sites.

How does Magecart work?

 Magecart hackers substitute a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart to a website that hosts the malware. 40 different code-injection exploits were identified stack line-by-line to see what has changed. The criminals try to take ownership of the project and then publish a ‘new version‘ of code which contains the malware which has a direct benefit of quickly getting malware in active use across thousands of websites. The criminals remain under the radar from GitHub to get away with a compromised project.

How did Magecart evolve?

The improvement can be found in a series of a malware family. Most of the Magecart efforts have involved compromises to the Magneto shopping cart. This leveraged the vendor’s customer scoring plug-in to rate various websites. The malware had deployed 7,000 economic sites which became a movement beyond Magneto with new plug-ins. A second direction is still attacking shopping carts using ad servers that infect advertising banners. Once the code is downloaded in the computer using ad browsers, the malware code is hosted by the server. Using more targeted attacks like British Airways where the attackers were able to take advantage of the logic flow of their internal applications. The researchers tracked 22 lines of code on the infected script that dealt with British Airways baggage claim that compromised the Airways’ own servers.

Magecart- the rise of web skimming by

Threat Groups:-                                                                                                                                       

Group 1 and Group 2: Frist Seen: 2015, Victims: 2,500+

The first Magecart group emerged in 2015 that compromised several thousand stores. Group 1 had cast a wide net with its skimmer using automated tools to attack and compromise sites and then upload the skimmer code. RiskIQ identified the domain used in re-shipping monetization scheme in November 2015. In July the same year, Group 1 created a website that purported legitimate shipping company as a part of its scheme for monetizing stole card information. The mules then re-shipped the goods to Eastern Europe where the criminal group sold them for profit. During 2016, Group 1’s operations and infrastructure scheme evolved in the form of Magecart Group 2.

Group 3: First Seen: 2016, Victims: 800+

Group 3 operates similarly to other groups that go for high volumes of compromises to grab as many card details as possible. The group is differentiated in a way its skimmer works as they do not target high-end web stores. Group 3’s skimmer takes a different approach as they check if any of the forms on that page holds payment information instead of checking the skimmer on the checkout page. The skimmer list contains a set of IDs per item that maps it down to a certain payment form. the skimmer executes every 700 milliseconds and goes through three steps of data collection: Checks the form that contains billing in name, checks for shipping in name and check if any form matches the payment form field names. By following these steps, Group 3 ensures that it has the name and address for the person paying. By putting the data in local storage, the Magecart operators confirm they have all that they need before sending it off. The final step involves exfiltrating the skimmed data which is sent to the drop server in a POST request.

Group 4: First Seen: 2017, Victims: 3000+

Group 4 is advanced in terms of access and how it places the skimmer. This group focuses on high volumes of compromises with the goal of getting as many cards without specific targeting. It also tries to blend web traffic mimicking ad providers, analytics providers, victim’s domains, and anything else that can remain under the plain sight. The group has more tricks to check for attempted analysis of skimmers. The way Group 4 uses its skimmer its different from other Magecart groups as the skimmer is not visible to anyone and has a valid user-agent. The skimmer is expansive – 1,500 lines. The group is also seen to use methods to detect and avoid analysis, by these advanced methods its likely to be in the banking malware ecosystem with regard to webinjects.

Group 5: First Seen: 2016, Victims: 12+

Group 5 is a strategic group that has a unique approach to getting a large volume of victims. It is said that the MG5 has constructed an attack scenario in which it could inject mischievious code into an open-source JavaScript library that is designed to enable websites compatible with mobile browsing. By infecting the code, the attackers can steal the data of mobile device users who install online shopping apps. The group also infected the open-source app code that’s offered to app developers for free. The mobile app code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects. By infecting the code, every developer using the touch slider will end up serving the attackers’ code in their developed app which will further result in the compromise of data belonging to those using the app.


Group 6: First seen: 2018, Victims: 2

The most high-profile Magecart group and the impacts have been massive. The aim is to be selective, only going for top targets, such as British Airways and Newegg. But the skimmer is simple compared to other groups, they have a good knowledge of how their victim processes payments which allow them to integrate their skimmer. Group 6 makes a profit by selling skimmed payment data that compromise of the most prominent underground vendors. Their skimmer is much elegant and less detectable.

Group 7: First Seen: 2018, Victims: 100+

Group 7 is not a well-defined modus operandi other than compromising any e-commerce site it can find. Instead of dedicated host for the injection and the drop, the group uses compromised sites as proxies for its stolen data. The process of remediation takes much longer time than other groups because of its legitimate domains. Group 7’s skimmer is simple and built for a specific type of checkout process each victim merchant uses. The skimmer works the same as other Magecart groups but exfiltrates payment data in GET requests which are embedded in images.


The best defensive against Magecart attacks will be preventing access. This will prevent the malicious script or any non-critical third-party script from gaining access to information the customers enter on websites. Monitoring component also should be used by the companies to send alerts when third-party attempts to access sensitive information.




- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles