Tuesday 7th December 2021

BLOG: What is Magecart/E-Skimming?

Magecart is a commonly used name for loosely affiliated groups that use digital skimming or e-skimming techniques, to steal customer data. Magecart is a tactic used by threat actors who target online shopping cart systems, usually the e-commerce Magento system, to steal sensitive customer payment card information.

Magecart cyber-attacks utilise the browser-level unrestricted access to sensitive data and the lack of control over the JavaScript code executed by a website in the browsers. Magecart attacks take sensitive data. Online skimming is more effective because it is harder to detect and it is near impossible to trace the thieves.

Magecart E-skimming Black Friday

Reports show that Magecart attacks accelerate mostly during Black Friday, Cyber Monday and even extend to around and after the Christmas period. It is usually small and medium-sized organisations that fall victim to skimming attacks. Despite these reports, it is not unheard of for large organisations to succumb to skimming attacks, organisations and large businesses such as Macy’s, Ticketmaster, American Cancer Society, P&G’s First Aid Beauty, British Airways, Newegg, and more have reported digital skimming breaches over the last few years.

Ticketmaster was fined £1.25m in 2018 by The Information Commissioner’s Office after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been compromised by criminals. The breach began in February 2018 and was not detected until April 2018, when Monzo realised one of their customers’ cards had been compromised after being used on Ticketmaster’s website. The customer had entered an incorrect card expiry date and the very next day, it was used for a fraudulent transaction but with the same incorrect expiry date, revealing whoever was using it had lifted the details from Ticketmaster. Ticketmaster’s decision to deploy a Javascript-powered chatbot on their website payment pages provided cybercriminals with an easy way to compromise, which ultimately was the reason the ICO used against Ticketmaster in its decision to award the fine.

Ticketmaster confessed that 9.4 million people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced, alongside this Ticketmaster admitted they are unsure how many people were affected between 25 May and 23 June 2018.

In early October 2019, Macy’s experienced a magecart data breach. Their website was compromised in and a malicious script was embedded in the ‘My Wallet’ and ‘Checkout’ pages. If payment information was sent through those pages at the time they were compromised, customer information and credit card data was also sent to the cybercriminals. A few months later, Smith & Wesson fell victim to a magecart incident, their online store was compromised by attackers who injected a malicious script that attempts to steal customers’ payment information.

2019 seemed to have a large increase in magecart incidents as Malwarebytes revealed that it had detected and blocked over 65,000 attempts to steal credit card information from online stores compromised in a Magecart attack during July 2019.

Numerous organisations conduct transactional business with their customers online through their websites. These websites host pages that require customers to enter information are and it is, common to find sensitive customer data on almost every businesses website. Threat actors can gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. 

Third-party scripts are often used to implement business-driven functionalities and features. Modern web development makes the use of third-party controlled scripts very common and unavoidable. These scripts can leave many organisations vulnerable to skimming attacks. Attackers add skimming code directly or side-load it through first- or third-party scripts that are used by the targeted website.

Most skimming attacks are discovered after weeks or months in operation. Successful skimming tends to count on one or more weaknesses on either the target website being exploited or third-party code that is loaded by the target website.

When an attacker finds a method to infiltrate the system, they will install a skimming code that will have open access to form fields that process the target data. Skimming code records user input and then sends it to an external command and control server that is controlled by the attacker. To detect skimming attacks, commonly exploited code vulnerabilities need to be uncovered

To understand how Orpheus Cyber can help with protection against cyber threats like this through the use of our platform to understand cyber risks at a strategic, operational and tactical level, click here.

Read our latest whitepaper ‘A Guide To Threat Actors’

Get our latest cyber intelligence insights straight into your inbox every week

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.