Magecart Early Breach Detection Feed

Sansec operates a crawler network that monitors hundreds of thousands of global stores for signs of Magecart (skimming) attacks. This produces near-realtime visibility in the global attack landscape, and enables us to monitor emerging attacks at a very early stage. It also gives us unique insights in the infrastructure that is used to operate skimming networks.

The crawler network has been operational since 2015. Since then, Sansec has identified more than 60 thousand stores with skimming malware.

The Sansec Early Breach Detection Feed (SEBDEF) is licensed to PSPs, PFIs, LE and financial institutions. Please contact us to discuss how your organization would benefit from our unique data.

The SEBDEF data is exposed in two ways:

1. Daily delta update push per mail
2. Delta querying via API endpoint (JSON)

Data format

SEBDEF data contains sets of detections within a given time range. A detection is a status change for a particular domain (has malware: yes/no). Furthermore, each detection has:

• The parent domain name, with approximate Alexa rank.
• Platform & version of the detection ecommerce platform, if available.
• Zero or more signature matches, each with:
  • The specific URL that contained the malware indicator and was referenced from the parent site.
  • A confidence value 1-100. Anything below 90 is low-confidence and may concern a false positive.
  • The relevant code snippet that triggered our heuristic.

Email reporting

Please add "@sansec.io" to your trusted senders, as email messages with malware references may get blocked by some mail gateways.

You will receive a daily text report for the previous 24h.

API polling

If your license covers API access, we will send you API credentials and usage instructions separately.

Please direct implementation assistance requests to [email protected].