Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It’s also fundamentally changing the way we view browser security. 

A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner’s knowledge. Although it’s just now getting global attention, Magecart has been active for nearly ten years—RiskIQ’s earliest Magecart observation occurred on August 8th, 2010. 

Magecart works by operatives gaining access to websites either directly or via third-party services in supply-chain attacks and injecting malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. Quietly, it’s eating away at the e-commerce industry because website owners lack visibility into the code that’s running on their site, which is a bigger problem than most people realize. Skimming code can exist on a breached website for weeks, months, or even indefinitely, victimizing any visitor that makes purchases on that site.

RiskIQ’s global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts. 

Download the report here, which includes insights such as:

• 17% of all Malvertisements detected by RiskIQ contain Magecart skimmers

• The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.

• Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.

• Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 

• Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites. 

The entire report, containing additional insights and information, is available for download here: https://www.riskiq.com/research/magecart-growing-threat/