What is Magecart? | Attack types & prevention

A Magecart attack is one in which cybercriminals skim shoppers’ credit card data and other personally identifiable information (PII) from your online payment forms when they complete a transaction. The name “Magecart” refers to several hacker groups that use online skimming techniques to steal payment data from e-commerce sites on the Magento platform. However, Magecart attacks have spread far beyond Magento to OpenCart, Volusion and nearly every other e-commerce platform. This type of attack is known more broadly as digital skimming.

In a Magecart attack, cybercriminals may breach sites directly or attack your client-side supply chain. Most websites utilize third party apps — such as social sharing buttons, payment iframes, chatbots, analytics and metrics scripts, A/B testing scripts for experiments and helper libraries such as jQuery — to improve site functionality. If a cybercriminal infects a single code weakness into vendor code, it can spread to all of the sites that utilize the infected code. In other words, an infection in Magento or other third-party platforms is an infection in your payment form if you have integrated their client-side Javascript code onto your site.

Suffering a Magecart attack exposes payment data and PII, damages brand reputation and consumer trust, and results in fines due to noncompliance with privacy regulations. These attacks can be hard to detect, so it is critical to proactively identify and fix code risks before your site is compromised.

Attackers leverage vulnerabilities in client-side code to inject malicious scripts into the payment pages on e-commerce sites. When users complete a transaction, the script captures the form data and sends a copy to the cybercriminal. The transaction data still flows through to the e-commerce system, so website owners and consumers are not immediately aware that payment information was stolen. Contact information, usernames, passwords, credit card numbers, CVVs, and expiration dates are all subject to theft via Magecart attacks.

Cybercriminals can carry out Magecart attacks in various ways. These include both mass and targeted attacks that leverage different types of code injections and skimmers. Here are some examples:

• Inject malicious scripts into real payment pages to change form behavior
• Add or modify JavaScript code to create fake payment forms on a real site
• Direct users to complete transactions on fake sites with similar URLs to the site they intended to visit, leading the buyer to unknowingly submit a form on a fraudulent infected site
• Hide skimmers in images that load on payment pages in users’ browsers, such as in the 2022 attack on Segway

Magecart attacks target client-side code, which runs on users’ browsers. This means that malicious skimmers fall outside of common web controls, such as web application firewalls (WAFs). In addition, cybercriminals increasingly use scripts designed to evade detection. The malicious code loads dynamically in users’ browsers, so it is often missed by manual code reviews, static code analysis, and external scans.

Almost 98% of websites use client-side JavaScript, often from third-party vendors and open source libraries. Because payment platforms and scripts come from trusted vendors, these may not go through as rigorous a security review as other code. Security teams may not catch weaknesses in this code, or may not install appropriate updates when they become available. Cybercriminals often target outdated and vulnerable code, so ensuring your e-commerce platform is up-to-date is crucial to prevent Magecart attacks.

It is estimated that a new Magecart attack happens every 16 seconds, and they can have severe repercussions for your business. Nothing destroys brand reputation and consumer trust faster than exposing sensitive data to bad actors. This is true for both current customers who are directly affected and prospective buyers who may see bad press and choose to shop elsewhere. In fact, 56% of consumers say they won’t shop on a site that compromised their data. Reputation damage can negatively impact revenue, stock value and business growth.

Many countries and states have passed data privacy legislation — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — which impose hefty fines on businesses that fail to protect user data. Brands are responsible for Magecart attacks on their site, even if it was the third-party platform that was compromised. Well known brands such as British Airways and Ticketmaster have been fined millions of dollars following Magecart attacks.

Preventing a Magecart attack starts with understanding your third-party vendors. Vet your vendors by asking questions about their data security protocols and compliance measures. You can even include security requirements and penalties for non-compliance in vendor contracts. And do not allow third-party code more access rights than are necessary.

You must also continuously audit JavaScript code that accesses your sites and networks to identify script vulnerabilities. Proactively mitigate risk by patching and updating weak code as soon as possible. Use content security policy (CSP) rules and client-side browser-based JavaScript blocking to stop malicious script injections from loading to prevent data transfer.

HUMAN Client-Side Defense stops Magecart and other client-side supply chain attacks on your website using advanced behavioral analysis. It provides you full visibility and control over first-, third- and nth-party scripts running on the client-side. The solution detects unauthorized PII access, data exfiltration events and known script vulnerabilities, and provides incident details.

Client-Side Defense provides comprehensive client-side mitigation, partnering granular control over legitimate JavaScript with Content Security Policy (CSP) mitigation capabilities. This multi-layered protection lets you both block specific actions in a script, without blocking the full script, and block unwanted scripts entirely. In this way, the solution protects your brand reputation and ensures compliance.

Supply chain attacks | What they are & how to prevent them

What is digital skimming and how does it work?

What is personally identifiable information (PII) harvesting?

What is PCI DSS compliance? | Requirements & how to comply

What is GDPR? | Data types protected | GDPR compliance requirements