Magecart is a type of fraud where transaction data is intercepted during the checkout of an online store. Magecart is also known as digital skimming, e-skimming or form jacking.
Magercart does not refer to particular criminal organization, as some media suggest. There simply isn’t a single actor or group responsible for this fraud.
How does Magecart work?
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.
In short: hackers gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. Once a store is under control of a perpetrator, a wiretap or keylogger is installed that funnels live payment data to a collection server. This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for $5 to $30 each.
Several media have misinterpreted or sensationalized the concept, and use Magecart to refer to a criminal organization. This is not correct: Sansec estimates that at least a hundred individuals are engaged with Magecart fraud. There are no indicators that suggest most of these individuals are organized or affiliated.
Another misconception is that Magecart concerns only credit card theft that takes place in the browser of a customer. The interception can just as easily happen on the server. Because the latter method is typically not visible from the outside, and most companies sell browser solutions only, they tend to promote a limited perspective of the fraud. See also flavors below.
The first Magecart-like attacks were observed as early as 2010. However, the first mass-executed Magecart attack, affecting thousands of stores, was reported in 2015 by Sansec. The term Magecart was coined a year later by RiskIQ in 2016. The name does not refer to mages but is rather a contraction of Magento and shopping cart.
Magento is a popular opensource eCommerce platform that is used by hundreds of thousands of stores around the world. After a serious vulnerability was discovered called Shoplift/SUPEE 5344, Magento became a big target for Magecart attacks in 2015. Sansec observed over three thousand compromised Magento stores back in December that year.
In the following years, this number of compromised stores quickly grew. As of 2020, Sansec has identified over 50.000 compromised stores that contained a digital skimmer at one point in time. And more than 100.000 stores were affected, if you include the stores that suffered a supply chain attack (see below)
Sansec has collected samples of over 200 different Magecart malware families, and new ones are added every week. See our meta classification in this diagram:
Front-end Magecart malware often injects a keylogger to an existing checkout or payment form. However, the PCI council has been urging merchants to start using an external payment form from a payment provider (PSP) and many merchants have done so. These external forms are harder to compromise and attackers usually don’t even bother. It is much easier for an attacker to inject a fake payment form in the checkout flow, before the customer gets redirected to the external payment form. Once the customer completes the fake payment form, s/he gets redirected to the legitimate form.
Supply Chain Attack
The jackpot of Magecart fraud is called a Supply Chain Attack. The Internet offers many services that can be embedded in your store, such as a marketing tool, or a cookie consent button. When a criminal manages to break into such a service, s/he has immediate & full control over all the sites that embed this service.
Magecart attack stages
There are three stages in the anatomy of a Magecart attack. First, an attacker needs to gain access to stores computer code. Second, the attacker needs to actually intercept transaction data, using an interceptor and collector program. All of these have different flavors and modus operandi.