Magecart attack: All you need to know

Sammed AkiwateCyber Security

Magecart attack: All you need to know
Magecart attack: All you need to know

Magecart attack: All you need to know

According to a recent Kaspersky report, India saw an increment of 37% in the number of cyber attacks in Q1 2020, as compared to Q4 2019. While the ongoing COVID-19 pandemic has increased our dependence on internet-enabled services, threats have not stayed behind. In the last six months or so, many online platforms have become popular. We have also seen the emergence of new platforms for providing various services. Such platforms, typically called as e-commerce platforms, allow users to pay via cash on delivery or through different payment methods. These payment methods include UPI, wallets, debit/credit card, internet banking, etc. To make a payment using any of these methods, a user has to enter some personal information such as UPI address or card number during the payment process. This is precisely where Magecart attackers set their target.

What is Magecart?

Put plainly, Magecart is a group of hackers who target online shopping carts based on the Magento system. The reason behind this is simple: carts process payment card information of customers. This type of attack is known as a supply chain attack. Attackers compromise a third-party tool whose code remains unknown to an organization’s security team. It has been in operation since 2016 and so far, it is responsible for data breaches at Ticketmaster, British Airways, Newegg, and Forbes Magazine, among others.

How does Magecart work?

Magecart attackers capture data using techniques such as digital skimming or form jacking. In digital skimming, attackers use third-party malicious code for collecting payment card data. Similarly, attackers inject JavaScript code to take over the functionality of a form page that collects payment data in formjacking.

Generally, Magecart attackers replace the original JavaScript code with a malicious code which is very difficult to spot. They either make changes to the Magento source code or use a page redirecting mechanism to inject malware in host websites. Researchers have identified more than 40 such malicious code injections which have the potential to steal data. To spot the difference between the original code and modified code, line by line comparison is necessary. Magecart attacks are often difficult to detect as attackers inject their malicious code in scripts which are trusted by default by security tools.

Evolution of Magecart

A RiskIQ and Flashpoint report found that at least six hacking groups that are actively involved in developing different versions of Magecart malware. Each hacking group has a distinct code and signature. Researchers observed multiple improvements introduced by attackers in this malware family. These improvements are:

  • Magecart attackers have started to target new plug-ins, apart from Magento.
  • Attackers are using a new method for infecting advertising banners on websites. They place Magecart code on a web server and when a user views the infected ad in their browser, the malicious code downloads on their computer.
  • Instead of spraying malware, Magecart attackers are leveraging social engineering techniques to study their targets’ IT infrastructure.

Prominent Magecart attacks

  1. Trickmaster: Trickmaster utilized a custom-built payment module from Inbenta. Attackers were able to place malicious code in Inbenta services, and the attack remained undetected for five months. As a result of this attack, payment card details of 40,000 customers were stolen.
  2. British Airways: British Airways lost close to $230 million due to a successful Magecart attack. The attackers were able to steal payment card details of 380,000 customers. The injected code collected payment card information as soon as a user clicked on the Submit button.
  3. Forbes Magazine: Forbes Magazine collected phone numbers and addresses of subscribers, apart from payment card details. A security researcher reported that Forbes had become a victim of Magecart attackers, but detailed information was never shared.
  4. Newegg: It took five days for Newegg to spot the infected code on their website. The attackers collected payment card details of more than 500,000 customers.
  5. Shoppers Approved: Many websites use third-party widgets such as Shoppers Approved for gathering reviews and ratings. Shoppers Approved has thousands of customers that use its services. However, the investigation revealed that only a small percentage of customers were affected.

How to prevent Magecart attacks?

  • Use content security policy (CSP) and sub-resource integrity (SRI) to control where scripts get loaded.
  • Regularly audit the existing code for changes and updates.
  • Conduct risk management for third-party widgets, applications, and tools.
  • Closely monitor the communication of third-party tools with external domains.


A successful series of Magecart attack reveals how attackers continue to target different attack vectors. Instead of weeks and months, organizations should be able to detect changes in their source code within a matter of a few seconds. It is high time that e-commerce platforms and associated service providers step-up their security measures to detect threats in real-time. Moreover, for service providers whose customer base is in thousands and millions, they cannot have a lacklustre attitude and wait for security incidents to occur. They must adopt proactive measures to ensure that security incidents are detected in real-time with minimum impact on their services.

Interested in contributing to our blog and knowledge base? Write to us at and elaborate on how you can help us in creating a safer cyber space.

Featured Image Credits: Business photo created by freepik –