A Deep Dive Into Magecart

What is Magecart?

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. Magecart also refers to the JavaScript code those groups inject.

Learn More About the Groups Behind the Front Page Breaches

How does Magecart work?

Magecart works by operatives gaining access to websites either directly or via third-party services and injecting malicious JavaScript that steals data shoppers enter into online payment forms, typically on checkout pages.

Magecart operatives either breach sites directly or via supply chain attacks. Supply chain attacks target third-parties that supply code to websites. Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites, so when one supplier is compromised, Magecart has effectively breached thousands of sites at once.

What's in a Browser Threat?

Who does Magecart Target?

Magecart mainly targets e-commerce websites, aiming to inject their JavaScript skimmers on checkout pages. However, Magecart breaches many different types of sites because they can steal other types of sensitive, monetizable data entered into any online web forms.

Magecart takes advantage of online businesses’ general lack visibility into their web-facing attack surfaces. In many cases, the victims have no idea the JavaScript on their site has been changed, allowing the malicious code to exist there indefinitely. In the case of supply-chain attacks, it’s common a victim does not know that the compromised third-party JavaScript on their site is dangerous — or that they’re even running code from the breached supplier.

Find Out How the RiskIQ JavaScript Threats Module Can Help Detect Compromises on Your Site

Notable Magecart Attacks

Magecart & Ticketmaster

On June 27th, 2018, Ticketmaster made public they had been compromised, with actors stealing payment information from the company’s various websites. RiskIQ discovered the breach was a result of Magecart operatives placing skimmers on Ticketmaster checkout pages through the compromise of a third-party functionality supplier known as Inbenta. Overall, the breach of Inbenta affected over 800 e-commerce sites around the world.

Magecart & British Airways

On September 6th, 2018, British Airways announced it had suffered a breach of its website and mobile app, resulting in the theft of payment data of 380,000 customers. RiskIQ researchers traced the breach to Magecart.

The attack compromised the British Airways site directly, taking advantage of its unique structure and functionality. Magecart operatives copied and modified JavaScript supporting payment forms on the British Airways website so that it sent all payment information to an attacker-controlled server. However, they made sure these forms still worked as intended in a user’s browser to avoid detection.

The attackers were also aware that the British Airways mobile app used much of the same functionality as the web app and that breaching the website would also grant them access to the app. Many of these 380,000 victims were mobile app users.

Magecart Breach & GDPR

The first post-GDPR fine has been imposed against British Airways. The proposed amount of £183m represents 1.5% of BA’s 2017 revenues. To put this in context, the largest pre-GDPR fine levied by the UK’s Information Commissioner’s Office (ICO) was £500,000. This precedent may force organizations to reevaluate their current security strategy and investments.

Magecart & Amazon S3 Buckets

The second-largest spike in Magecart detections occurred in July when RiskIQ announced that the scale of a mass compromise of third-party web suppliers by a Magecart group was much larger than previously reported. The actors behind these compromises automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets, managing to compromise a vast collection of S3 buckets to impact well over 17,000 domains. This list includes websites in the top 2,000 of Alexa rankings.RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019.

Magecart & Magento

Magecart will always be intrinsically connected to one program in particular: Magento. When we first wrote about Magecart back in 2016, Magento was the primary third-party shopping software targeted, inspiring the now-infamous name, which is a combination of “Magento” and “shopping cart.” To this day, third-party shopping platforms such as Magento and OpenCart, which fuel an enormous portion of e-commerce, are the lifeblood of many Magecart groups.

Magecart & Malvertising

RiskIQ researchers recently discovered that Magecart Groups are also compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once. Recent RiskIQ research shows that Magecart now makes up 17% of all malicious advertisements seen by RiskIQ.

Reused Magecart Domains

Because Magecart skimmers stay on websites for so long, often indefinitely, they can be beneficial to threat actors even when used second-hand. Large portions of malicious Magecart domains have been taken up for sinkholing by various parties. However, some of them are kicked offline by the registrar, put on hold and eventually released back into a pool of available domains. RiskIQ researchers have noticed bad guys taking advantage of these domains coming back up for sale and buying them to continue skimming, or for other purposes, such as monetizing traffic through advertising or even serving malware.

Monetization Through Reshipping Schemes

RiskIQ research revealed how some Magecart actors targeting e-commerce sites cash-out by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S.

By pivoting on a domain related to known Magecart activity in RiskIQ PassiveTotal, RiskIQ found that the server behind its IP address linked to a reshipping company website falsely advertised as a freight/logistics provider. Magecart operatives recruit these mules false employment ads on Russian job websites for U.S.-based job seekers under the pretense of “transport agents.” These mules receive shipments of electronics and other goods bought with stolen credit cards to ship to an address in Eastern Europe.

This technique is similar to more traditional schemes involving money mules, but rather than a direct transfer of funds, the actors behind Magecart transfer funds into higher-priced goods. These goods can be shipped across borders without suspicion, then sold for a hefty profit.

RiskIQ Has Been Tracking Magecart Since 2015


RiskIQ has reported extensively on Magecart and will continue to report on the threat as it evolves. You can see your full Magecart library here.

Further Reading

Tile Image
The State of a Growing Threat
Read the Report
Tile Image
Gift Cardsharks:
The Massive Threat Campaigns Circling Beneath the Surface
Read the Report
Tile Image
Inside Magecart:
The Cybercriminal Groups and Criminal Underworld Behind the Front-Page Breaches
Read the Report