magecart

Malware
description

⚠️ Overview

Magecart is a family of web skimmer malware first documented in 2015 by security researcher Willem de Groot, targeting e-commerce platforms through client-side payment card data theft. It is not attributable to a single operator; multiple independent threat groups (e.g., Magecart Group 1 through 8 identified by RiskIQ) compromise online shops to steal credit card information during checkout. Magecart is categorized as a credit card skimmer and form grabber, often delivered via third-party scripts or compromised content management systems.

🔧 Technical Capabilities

Magecart operators inject malicious JavaScript into the checkout pages of e-commerce sites (MITRE ATT&CK T1190 – Exploit Public-Facing Application), typically by compromising vulnerable plugins in Magento, WooCommerce, or Shopify. The skimming script captures form data—credit card numbers, CVV, expiry dates—and exfiltrates it to attacker-controlled domains (T1041 – Exfiltration Over C2 Channel) using encoded HTTP requests or WebSocket connections. Evasion techniques include obfuscated JavaScript, dynamic DNS domains, and canvas fingerprinting to avoid detection by security crawlers. Attackers maintain persistence via webshells (T1505.003) or by compromising third-party dependency feeds (e.g., Magecart Group 7’s use of fake CDNs). Some variants (e.g., Intermage) use dual-layer encryption on exfiltrated data to hinder analysis.

📜 History & Notable Incidents

First widely publicized in 2015 with attacks on Ticketmaster (2018, over 40,000 customers affected) and British Airways (2018, 380,000 payment cards exposed via a compromised third-party chatbot script). In 2020, Magecart hit Newegg (credit card data stolen for a month) and Macy’s (via Magecart Group 6). No CVEs are directly attributed to Magecart, but it exploits published vulnerabilities such as CVE-2019-6329 (Magento 2.3.1 SQL injection) and CVE-2020-5902 (F5 BIG-IP, used for initial access in some campaigns). Law enforcement arrests have been rare; in 2019, Ukrainian authorities detained a Magecart suspect linked to the Intermage variant.

🔍 Detection Indicators

Network IOCs include domains like statics.uprockcdn.com and cdn.gaft.biz (documented by RiskIQ). Behavioral signatures: unexpected JavaScript injection in checkout forms, base64-encoded requests, or unusual outbound connections to nonstandard ports (e.g., 8080). File hashes vary per campaign; a known sample hash is SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example placeholder—real hashes are campaign-specific). Registry keys are not commonly used; persistence is web-based. User-Agent strings may mimic legitimate browser traffic but often lack proper headers (e.g., missing Accept-Language).

☠️ Risk & Impact

Magecart primarily causes financial data exfiltration of payment card data, leading to direct monetary theft and fraud. The 2018 British Airways incident resulted in a £20 million GDPR fine. Affected sectors are predominantly e-commerce, including retail, travel, and hospitality—any site processing credit card data on client side. Secondary impacts include reputation damage, loss of customer trust, and legal liability under PCI DSS and GDPR.

🛡️ Mitigation

Defenses include implementing Content Security Policy (CSP) with strict script-src directives, using Subresource Integrity (SRI) hashes for external scripts, and deploying client-side web application firewalls (e.g., Akamai, Cloudflare). Regular patching of e-commerce platforms (Magento, Shopify plugins) and monitoring third-party script integrity via automated tools like Jscrambler or PerimeterX are critical. For detection, organizations should inspect network logs for anomalous outbound connections and deploy runtime self-protection (RASP) on checkout pages.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.