The State of Magecart: A Persistent Threat to E-Commerce Security
Trustwave SpiderLabs first blogged about Magecart back in 2019; fast forward five years and it is still here going strong.
During the pre-holiday season, cybercriminals ramped up their efforts to target e-commerce websites, aiming to steal cardholder and personal information. These attacks, collectively known as Magecart, have been active since 2015, named after the Magento e-commerce platform with "cart" referencing shopping carts — their initial primary targets.
Magecart attacks have persisted due to the widespread use of the Magento platform, which powers numerous online stores worldwide. The pandemic further fuelled the group's activity, as the global shift to online shopping presented an expanded attack surface. In this blog, we will discuss what we have recently seen, explore the attack methodology, and the current state of Magecart threats.
Attack Methodology
Magecart attacks typically follow a structured approach:
Figure 1. A typical Magecart attack flow
Initial Compromise
Attackers often gain unauthorized access to a website by exploiting vulnerabilities in the e-commerce platform, its infrastructure, or compromised third-party services. They may exploit unpatched vulnerabilities in Magento websites, but it is also common for them to target third-party vendors with weaker security. Other methods include brute-forcing admin credentials or taking advantage of misconfigurations in the website or its supporting systems.
Threat actors have exploited several known vulnerabilities (CVEs) in e-commerce platforms, with Magento being a frequent target. Below is a notable Magento vulnerability that was exploited in 2024:
- CVE-2024-20720 - This critical command injection vulnerability in Adobe Magento, first identified in February 2024, was observed being actively exploited in the wild by April, as reported by Sansec. With a CVSS score of 9.1, this flaw allowed attackers to execute arbitrary system commands without requiring user interaction. Magecart attackers exploited this vulnerability to insert persistent backdoors into compromised websites that allowed unauthorized access and data theft.
- CosmicSting (CVE-2024-34102 and CVE-2024-2961) - This was one of the most widespread attacks of the year, impacting 75% of Adobe Commerce and Magento platforms and compromising thousands of e-commerce websites. The attack exploited CVE-2024-34102 to access sensitive files, such as configuration files containing encryption keys, and then used CVE-2024-2961 to escalate privileges and to allow full system compromise. These vulnerabilities allow attackers to execute remote code execution (RCE), modify content management system (CMS) blocks, inject malicious scripts (e.g., skimmers), and install persistent backdoors for long-term control over affected systems.
According to Sansec, e-commerce stores were being hacked at the alarming rate of five to 30 sites per hour during this attack’s campaign.
Figure 2. A snippet of the skimmer's data exfiltration code was injected into Cisco’s e-commerce website in September 2024, which is believed to have been compromised using the CosmicSting vulnerability.
Skimmer Injection
Skimmer codes are injected by attackers depending on the opportunities and services available to them. They may insert the code directly into checkout pages or spread it across multiple pages of the website, with a primary focus on monitoring checkout pages. The code typically identifies these pages by checking if the URL path contains keywords such as "checkout" or "onepage". Once the target page is detected, the skimmer captures user inputs on payment forms, including sensitive data such as credit card numbers, CVVs, and billing details.
Figure 3. A malicious JavaScript code is injected to load an external JS script whenever the HREF location contains the strings “checkout” or “onepage.” Once triggered, the external script monitors the input fields on the page, enabling card skimming and the exfiltration of sensitive data.
At the height of the pandemic in 2020, attackers were observed injecting malicious code into a compromised e-commerce site’s Magento global configuration, causing the code to load on every page each time a user accesses the website. Figure 4 illustrates Magento’s design configuration page, where administrators can customize the footer section of the webpage. This section is typically used to define the copyright notice, but it also allows for the insertion of a <script> element, which attackers can exploit to embed and execute malicious scripts.
Figure 4. After compromising the system, threat actors gain access to Magento's design configuration page via the admin panel. From there, they can embed malicious scripts directly into the configuration settings, enabling the execution of harmful code on the site.
In 2024, attackers heavily exploited trusted third-party services such as Google Tag Manager (GTM) to deploy skimming codes.
GTM is designed for legitimate purposes, such as analytics and marketing, also enables website administrators to inject scripts into their sites. Threat actors abuse this functionality by embedding malicious payloads within seemingly legitimate GTM containers.
This method is particularly difficult for web administrators to detect, as GTM appears benign. However, in the background, it contains a custom HTML script tag that loads malicious skimmer code from a remote server controlled by the attackers.
%20account%20and%20embed%20a%20Custom%20HTML.jpg?width=601&height=494&name=Figure%205.%20Here%E2%80%99s%20an%20example%20of%20how%20threat%20actors%20can%20easily%20create%20their%20own%20Google%20Tag%20Manager%20(GTM)%20account%20and%20embed%20a%20Custom%20HTML.jpg)
Figure 5. Here’s an example of how threat actors can easily create their own Google Tag Manager (GTM) account and embed a Custom HTML script tag containing malicious skimmer code. This can then be injected into the target website.
Figure 6 shows a real-world skimmer code embedded within a GTM container. The tag was injected into a compromised e-commerce website and contains a custom HTML script that loads an external JavaScript file, which executes the skimmer code.
Figure 6. An e-commerce website is compromised with a malicious GTM script. The custom HTML tag within GTM loads an external JavaScript file, which carries out card skimming and data exfiltration.
Figure 7. In recent months, multiple instances of malicious GTM scripts have been identified by SD Research, as reported on X (formerly Twitter).
Data Exfiltration
Once attackers gather the desired user information from the checkout page, they often verify the data — particularly credit card details — using a simple checksum validation method called the Luhn algorithm. The stolen data is then transmitted to a remote server controlled by the attackers. To obscure the activity, the data is typically encoded in formats such as Base64.
Figure 8. A deobfuscated snippet of the data exfiltration code reveals that the malicious script collects data from select, input, and iframe elements, assembling the information into an array for later exfiltration.
Figure 9. Credit card data is validated within the skimmer code using a simple checksum process based on the Luhn algorithm.
In some cases, attackers exfiltrate the information via an HTTP GET request by embedding it as the “src” attribute of an image tag. Alternatively, they may use WebSocket connections for real-time data transmission. This process is relatively straightforward, allowing attackers to send the compromised data to any chosen command-and-control destination, thereby completing the attack.
Figure 10. A sample of data exfiltration involves embedding the stolen data as a URL parameter and sending it through the “src” attribute of an image tag.
Mitigation
As noted in our previous Magecart blog, a defense-in-depth approach is essential to mitigate the risk of Magecart attacks.
Start by fully patching all web server infrastructure components, from operating systems and software to extensions and third-party code. However, since not all extensions may have patches available, disabling non-essential extensions can reduce your attack surface.
Critical website sections, such as the checkout page, should run only the minimum necessary components. Additionally, where possible, use local copies of scripts instead of relying on remote sources to minimize exposure to compromised third-party content.
While it’s not feasible to eliminate all third-party code and host every JavaScript script locally, implementing a Content Security Policy (CSP) is another (highly) effective solution, especially for critical pages such as cart and checkout. CSP allows you to define trusted sources for scripts and other content, ensuring that only authorized scripts can execute on critical pages like payment forms. By applying CSP directives and using reporting tools to monitor violations, you can respond swiftly to unauthorized script activity.
Subresource Integrity (SRI) adds another layer of security by verifying the integrity of externally loaded resources. This is achieved by including a cryptographic hash in script or style tags, allowing the browser to block any resource that doesn't match the specified hash.
Moreover, monitoring file changes on the website and performing checks on external connections can help identify malicious activity. By extracting a list of external connections made by each script and comparing them against blocklists and allowlists, you can detect and mitigate exfiltration attempts to attacker-controlled domains.