MageCart attack

By Atul Periwal.

What is Magecart?

Magecart is the name assigned behind the world’s biggest cyber attacks to a multinational consortium of at least 8 criminal organizations. They’re best known as Magecart attacks, also known in the tech landscape as front-end attacks. These hacker groups who attack shopping cart networks online, typically the Magento scheme, to steal data from user payment cards. This is regarded as an assault on a supply chain (Supply chain attack).

The concept behind such attacks is to hack or compromise an industrial process unfamiliar to IT with a third-party piece of software from a VAR or device integrator. It has been in existence since 2016 and is liable, among others, for data abuses at British Airways, Ticketmaster, Forbes Magazine, and Newegg so far.

Magecart working

The attacker uses the browser on the client-side to view any data entered by a user. Through inserting malicious Javascript code, the attacks threaten confidential consumer details (email accounts, credentials, and credit card details).  Concerningly, Magecart is also able to insert entirely new fields into a form to obtain further data. Users don’t know that they are viewing a compromised page, while the organization finds about the changes months after the damage has happened. Users have no means of understanding that a hacked website is being viewed, although organizations typically only find out more about the update months after the damage has happened.

More than 40 malicious code injections that can steal data have been found by researchers. Line by line analysis is required to identify the gap between both the original code and the updated code. Attacks by Magecart are also difficult to identify as hackers insert their malicious code into scripts that are trusted by protection tools by design.

Magecart’s Evolution

RiskIQ and Flashpoint researchers joined forces last year and released a paper dissecting the code of Magecart and its compromise procedures. They keep monitoring at least six separate hacker groups who are aggressively creating variants of the malware, incorporating new modifications and trickery. In this malware family, researchers found several enhancements made by attackers.

These enhancements are:

Apart from Magento, Magecart attackers have begun to threaten new plug-ins.

A new way of infecting advertisement banners on websites is being used by attackers. They insert the Magecart code on a web server and the malicious code is downloaded to their device when a user opens the compromised ad in their device.

Instead of spraying ransomware, attackers from Magecart use social engineering tactics to research the IT network of their targets.                                         

Influential Magecart Attacks

British Airways: Due to a successful assault by Magecart, British Airways suffered almost $230 million. The hackers were able to acquire 380,000 user’s payment card data. As soon as the customer presses the Submit button, the inserted code gathers payment card details.

Trickmaster: Trickmaster used a payment system from Inbenta that was custom designed. Hackers were capable of putting malicious code on the resources of Inbenta, and for five months the threat stayed unnoticed. The payment card information of 40,000 clients was compromised as a result of this assault.

Forbes Magazine: Aside from payment card information, Forbes Magazine gathered contact details and subscriber emails. A security researcher confirmed that Forbes had been a target of hackers at Magecart, but never shared specific details.

Newegg: It took Newegg five days to detect the corrupted code on its website. The hackers obtained more than 500,000 clients’ payment card data.

Shoppers Approved: For collecting feedback and ratings, many websites use third-party features such as Shoppers Approved. Shoppers Accepted has thousands of clients using its facilities. The inquiry found, however, that only a limited number of clients were affected.


Engender a cyber security philosophy, where, on their first day on the job, you inspire and encourage staff to follow sound security standards.

To monitor where scripts are loaded, use the Content Protection Policy (CSP) and Sub-Resource Integrity (SRI).

Audit the current code daily for improvements and enhancements.

Conduct risk control with widgets, software, and tools from third parties.

Track the correspondence of third-party tools with external domains closely.

Conclusion An effective sequence of attacks by Magecart demonstrates how hackers try to manipulate multiple attack vectors. Organizations must be able to spot modifications in their code within a period of a few seconds rather than weeks or months. To identify threats in real-time, it’s time for e-commerce sites and related service providers to scale up their defence steps. Besides, they should not have an uninspiring mindset and brace for security issues to arise for service providers whose client base is thousands and millions. Constructive steps must be taken to ensure that security risks are identified in real-time to have a limited effect on their operations.