Magecart Attacks. PHOTO: Cybercrime Magazine.

Magecart Juggernaut Devastates Businesses Globally

Analysis reveals how some of the world’s largest brands were compromised

Charlie Osborne

London – Nov. 15, 2021

When the “Magecart” name first appeared in connection to an attack against Ticketmaster, in many circles, it was believed that the major incident was only a one-off attack.

However, Magecart-style assaults have been going back to as early as 2010, with the mass compromise of online stores occurring in 2015 and beyond. Ticketmaster and British Airways, targeted in 2017 and 2018, respectively, led to the coining of the term Magecart by RiskIQ as a specific kind of cyberattack — and a qualifier for groups that learned to specialize in them.

Between 2017 and 2018, over 800 e-commerce stores worldwide succumbed to Magecart. Thousands more, since, have become victims of the same technique — and according to Cyberpion, there is a substantial number of popular digital commerce domains that are still vulnerable to exploitation.

Magecart attacks occur when a third-party software vendor, content management system (CMS), or domain function is compromised, often through vulnerabilities and credential-stuffing attacks.

Once an e-commerce service has been breached, JavaScript code is quietly injected into a payment portal page that can skim details input by a customer, including card data, which is then sent to the attacker’s command-and-control (C2) server for purposes including card cloning, fraudulent purchases, and potentially ID theft.

In this way, a breach can last days, months, or even years before discovery. When major retailers are targeted, millions of customer records can be exfiltrated in short timeframes.



Variations of modern Magecart attacks include the use of homoglyphs and APIs designed to check for the presence of virtual machines (VMs) to avoid sandboxing and reverse-engineering efforts by researchers.

At Black Hat Europe recently, Cyberpion CEO Nethanel Gelernter told attendees that there is no “simple solution” to tackling Magecart threats.

Over the past few years, a detailed analysis conducted by the cybersecurity firm has revealed that “tens of thousands of vulnerable assets” belonging to e-commerce, enterprise firms, and government entities exist online — many of which could be targeted by a Magecart-style threat actor.

Cyberpion has recorded over 30,000 vulnerable assets during online scans, including those operating on both top-level and sub-level domains.

Gelernter described several real-world cases of Magecart abuse during the presentation. The first, impacting one of the largest retailers in the United States — albeit unnamed — was caused by misconfigurations in a marketing performance platform.

Once informed of the issue, the vendor fixed the security problem immediately. However, in a separate case, countless customers were also potentially impacted — and the response to disclosure was different, to say the least.

When an advertising agency network, said to be one of the largest in existence, had a platform misconfiguration permitting a Magecart compromise, the researchers rapidly informed the company. The problem was patched, but to Cyberpion’s knowledge, the customer base was never told.

The cybersecurity firm has met with some, but not total, success in reporting Magecart-vulnerable systems, and as of October 8, over 15,000 assets are still exposed — with new issues appearing daily.

Cyberpion has created a list of active, ongoing Magecart campaigns and detected, vulnerable assets, so organizations can check to see if they are in the firing line. Over 1,000 domains in the Alexa Top 10,000 across sectors including banking, insurance, health, telecoms, and manufacturing are included and considered vulnerable.

According to Gelernter, the challenge in containing Magecart is vast. While software updates, vulnerability patching, and Content Security Policies (CSPs) can be critical to maintaining a strong security posture, traditional cybersecurity solutions may not cut it alone.

Instead, domain owners must also monitor the behavior of third-party assets to become aware of anomalies that could represent a Magecart infection.

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles.