“Magecart” Strikes Again: Long-Running Web Skimming Campaign Targets Global Payment Networks

A vast and persistent web-skimming campaign has been unearthed, targeting the checkout pages of online retailers to silently harvest credit card data from unsuspecting shoppers. Dubbed under the umbrella term “Magecart,” this sophisticated operation has been active since at least January 2022, infiltrating e-commerce sites to intercept payments destined for major networks including American Express, Mastercard, and Discover.

The discovery comes from Silent Push Preemptive Cyber Defense Analysts, who identified an extensive network of malicious domains fueling this years-long fraud operation.

At its core, the attack is a digital sleight of hand. The threat actors compromise legitimate e-commerce websites—specifically those using WooCommerce and Stripe—and inject malicious JavaScript code. This code lies dormant until a customer reaches the checkout page.

According to the report, the malware “makes sure that the legitimate Stripe Payment Form is hidden” and replaces it with a “malicious iframe in which it renders a fake Stripe Payment Form with legitimate-looking variable names, titles, styling, and so on”.

Because the fake form is designed to mimic the real one perfectly—even including localization like Portuguese language support—shoppers have no reason to suspect foul play.

What makes this campaign particularly insidious is how it handles the theft. Once the victim enters their details into the fake form and hits submit, the data is encrypted and exfiltrated to a criminal server.

Then, the malware cleans up its tracks. It removes the fake form, restores the legitimate one, and simulates a click on the “Place Order” button . Because the real form is now empty (the user filled out the fake one), the website displays a payment error.

“The shopper believes they entered the payment info incorrectly—never realizing they’ve been victimized,” the analysts explain. “Instead, they will assume they made a mistake, then re-enter their credentials, and proceed as usual”.

The malware authors have gone to great lengths to avoid detection. The script employs a MutationObserver to monitor the webpage for changes, ensuring it only triggers when the conditions are perfect.

Crucially, it includes a self-destruct mechanism. “If the wpadminbar element is defined in the DOM, the code will completely remove itself,” the report notes. This means that if a website administrator logs in to check the site, the malware vanishes, making it incredibly difficult for site owners to spot the infection during routine checks.

The campaign’s infrastructure is robust, leveraging “bulletproof” hosting to keep its command-and-control servers online. With targets spanning six major payment providers—American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay—the scope of potential victims is massive.

“This campaign has been active for several years, dating back to the beginning of 2022,” the report concludes, highlighting the “threat actor’s staying power”.

Related Posts:

• Checkout Catastrophe: MageCart Skims Credit Cards from WordPress Stores
• Magecart SMILODON Skimmer Infiltrates WooCommerce Via Rogue Plugin Hiding Payload in Fake PNG Image
• Magecart Attack Uncovered: Obfuscated JavaScript Steals Credit Card Data
• OpenAI Launches Instant Checkout in ChatGPT, Teaming with Stripe to Reshape E-commerce
• From Magecart Mayhem to Ransomware Revamp: Inside ESET’s H2 2023 Cyber Threatscape