Magecart: Meet the Cybercriminals Silently Stealing Payment Data from Websites

What if next week your CISO alerted you that your company’s ecommerce website has been leaking thousands of credit card details from your clients over the last few months?

As apocalyptic of a scenario as this may seem, this has been the unfortunate reality that thousands of retailers had to face during the last few years. The culprit is a cybercriminal collective known as ‘Magecart’ — an umbrella group that has been rapidly expanding its web skimming operations over the past three years.

This is precisely the same collective that was behind the massive payment data breach that affected 400,000 British Airways customers, as well as Claire’s, Macy’s, Ticketmaster, Tupperware, Forbes, Robert Dyas and many more.

Web Skimming Explained

Magecart attacks consist of injecting a digital credit card skimmer (or web skimmer) into an ecommerce website. Once it makes its way into its target website, a web skimmer is pretty straightforward — it intercepts the website’s payment form (which explains why this attack vector is also known as “formjacking”), collects all the payment data and sends it to an attacker-controlled drop server. 


Typically, Magecart attacks operate through the supply chain. Attackers start by identifying a third-party service being used in one of their target websites (for instance, a chatbot). Then they breach this third-party service provider and inject the web skimming code into the code of the chatbot itself. Once that happens, the compromised code will be immediately shipped to every single website using that chatbot.

While this seems like a complex operation, this is so simple an attack that the skimmer that breached British Airways consisted of only 22 lines of code. However, while some web skimmers were extremely simple, attackers have greatly improved their tactics, adding bot detection capabilities to their code that allow them to easily bypass most existing threat detection technologies and remain undetected for months.

It might seem mind-boggling that such a critical security threat can remain active for so long, especially when we’re talking about some of the world’s largest retailers. What’s so unique about Magecart is that it cleverly takes advantage of a security weakness that plagues most companies with a strong web presence: the lack of client-side security.

This security weakness stems from a decades-long focus on server-side security and a security model that didn’t encompass the client side (i.e. everything that takes place on the browser or end-user device). As a result, companies have zero visibility of everything that happens at that level. Since Magecart can breach a website without ever touching the underlying server, and since it can easily bypass browser native defenses and Web Application Firewalls (WAFs), these web skimmers have managed to fly under the radar for far too long. Every passing day without detection equals thousands of clients having their credit card data stolen.

Breach of Compliance

When we’re dealing with data being stolen by attackers, the matter of compliance is probably the biggest concern to be addressed. Following the massive 2018 Magecart breach, British Airways was originally fined a record-breaking $230 million GDPR fine. And although this figure was adjusted to $26 million by the Information Commissioner’s Office (ICO) in October 2020, this fine clearly set the tone on the potential outcome of a Magecart breach.

With emerging data protection regulations such as GDPR and CCPA, as well as specific standards for payment card data (such as PCI DSS), companies have to step up how they are handling sensitive user data — going beyond traditional security measures and adopting a defense-in-depth approach that enforces monitoring and leakage mitigation strategies. 

Preventing Magecart

Ecommerce is seeing unprecedented momentum, triggered by the COVID pandemic and by a consumer shift to digital channels. In Q1 2021, U.S. ecommerce saw 49% YoY growth, providing ample opportunity for attackers to target retailers’ websites. So it’s no surprise that this growth has been accompanied by a 63% growth in data breaches in retail.

While Magecart has certainly entered the radar of several companies throughout 2021, dealing with a new and constantly mutating attack vector is a tough security challenge. So let’s break down this threat.

If we put a typical Magecart attack under the microscope, we will find two key problems: the inability to detect a web skimmer when it’s running at the client side and the lack of capabilities to mitigate the attack.

So the first step in a Magecart prevention strategy must be gaining client-side visibility. Today, companies can easily achieve this by using webpage inventory technology that actively monitors the client side, looking for signs of malicious behavior. Typical Magecart signs include: a third-party script tampering with a payment form, payment data being sent out to an unknown domain, etc.

After gaining visibility, companies need the ability to actually block the malicious behavior, ideally without disrupting the customer experience. This is where it can get even trickier, as some novel security approaches are often unstable and can break the entire website. A proper Magecart mitigation strategy must be able to block the source of the malicious behavior in real time regardless of the strategy used by the attackers; ensure that no data is leaked; and keep the user experience intact throughout the whole process.

Looking ahead, we know that attackers will keep pushing forward and evolving their tactics to leak valuable user data. It remains to be seen if companies will take the necessary steps to ensure that Magecart cybercriminals don’t win the marathon.

Rui Ribeiro is the Co-founder and CEO of Jscrambler where he co-leads business development. Ribeiro has extensive professional experience in the banking and finance areas as IT Developer, team leader and Project Manager. Jscrambler started as AuditMark, back in 2009 developing a solution to fight click-fraud in advertising campaigns. There was no tool capable of protecting JavaScript in the market so the need was met and Jscrambler was born.

Feature Your Byline

Submit an Executive ViewPoints.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: