What is Magecart?

The complete and definitive guide to the Magecart fraud. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?

Magecart definition

Magecart is a type of fraud where transaction data is intercepted during the checkout of an online store. Magecart is also known as digital skimming, e-skimming or form jacking.

Magercart does not refer to particular criminal organization, as some media suggest. There simply isn’t a single actor or group responsible for this fraud.

How does Magecart work?

Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.

In short: hackers gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. Once a store is under control of a perpetrator, a wiretap or keylogger is installed that funnels live payment data to a collection server. This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for $5 to $30 each.

Magecart myths

Several media have misinterpreted or sensationalized the concept, and use Magecart to refer to a criminal organization. This is not correct: Sansec estimates that at least a hundred individuals are engaged with Magecart fraud. There are no indicators that suggest most of these individuals are organized or affiliated.

Another misconception is that Magecart concerns only credit card theft that takes place in the browser of a customer. The interception can just as easily happen on the server. Because the latter method is typically not visible from the outside, and most companies sell browser solutions only, they tend to promote a limited perspective of the fraud. See also flavors below.

Magecart history

The first Magecart-like attacks were observed as early as 2010. However, the first mass-executed Magecart attack, affecting thousands of stores, was reported in 2015 by Sansec. The term Magecart was coined a year later by RiskIQ in 2016. The name does not refer to mages but is rather a contraction of Magento and shopping cart.

Magento is a popular opensource eCommerce platform that is used by hundreds of thousands of stores around the world. After a serious vulnerability was discovered called Shoplift/SUPEE 5344, Magento became a big target for Magecart attacks in 2015. Sansec observed over three thousand compromised Magento stores back in December that year.

In the following years, this number of compromised stores quickly grew. As of 2020, Sansec has identified over 50.000 compromised stores that contained a digital skimmer at one point in time. And more than 100.000 stores were affected, if you include the stores that suffered a supply chain attack (see below)

Magecart flavors

Sansec has collected samples of over 200 different Magecart malware families, and new ones are added every week. See our meta classification in this diagram:

The most important distinction in various Magecart flavor is the location of the interceptor: front-end (Javascript) or back-end (usually PHP)

For front-end Magecart, the malware is typically injected in the HTML/Javascript source code. This can either happen in HTML/JS files that belong directly to a store (and are hosted on the same domain as the store), or they can be injected to third party services. The latter is called a Supply Chain Attack (see below).

Front-end Magecart malware often injects a keylogger to an existing checkout or payment form. However, the PCI council has been urging merchants to start using an external payment form from a payment provider (PSP) and many merchants have done so. These external forms are harder to compromise and attackers usually don’t even bother. It is much easier for an attacker to inject a fake payment form in the checkout flow, before the customer gets redirected to the external payment form. Once the customer completes the fake payment form, s/he gets redirected to the legitimate form.

Supply Chain Attack

The jackpot of Magecart fraud is called a Supply Chain Attack. The Internet offers many services that can be embedded in your store, such as a marketing tool, or a cookie consent button. When a criminal manages to break into such a service, s/he has immediate & full control over all the sites that embed this service.

Magecart attack stages

There are three stages in the anatomy of a Magecart attack. First, an attacker needs to gain access to stores computer code. Second, the attacker needs to actually intercept transaction data, using an interceptor and collector program. All of these have different flavors and modus operandi.

Stay ahead of eCommerce hacks,
protect your store today!

Sansec forensic experts were the first to document digital skimming in 2015. Since then, we have investigated thousands of hacked stores. Our research of the latest attack vectors protects our customers around the world. Our anti-skimming technology and data are used by merchants, forensic investigators, financial anti-fraud teams and service providers

Try our malware scanner