Published: 21/09/2022


Magecart is a form of malware that infects online stores and eCommerce platforms.

It is one of the most commonly used ways for hackers to steal credit card information from customers by adding unique scripts into the source code on pages with payment sections like Checkout or Order Confirmation page. This allows them to steal credit card data while it’s being entered into web forms, but it also allows them to collect the data even if you never submit your order.

The malicious code is typically hidden within an HTML comment, so that it appears benign when placed in the source code. It is designed to read information entered into payment forms on checkout pages and then quickly sends this data back to a remote computer controlled by hackers for recording and use later on.

How Magecart works

When you visit an infected site, Magecart software scans your browser for any payment forms on the page and identifies when a credit card number is entered into one of these fields. The attacker can then access this data through JavaScript that collects it in real-time:

  • The first step of the process involves a program called skimmer which is designed to collect any user credit card information.
  • The second step involves another type of program known as Form Grabber that resides in the website’s database directly or via JavaScript. This component can collect data like names, addresses, social security numbers and payment details (credit card number, expiration date, CVV).

In most cases, Magecart malware is injected into a site with an attack known as DNS hijacking. Since this particular attack occurs at a low level within a server network infrastructure configuration, it often goes undetected for quite some time before being identified by analysts. It works by diverting traffic from legitimate servers into spoofed ones controlled by attackers. Once redirected, Magecart is very difficult to detect because it looks like normal web traffic.

Magecart attack stages

A Magecart attack can go through three stages:

  • Compromise – How do they initiate an attack? In order to load the malicious skimmer code into a site, hackers need first to compromise it. This typically involves exploiting flaws in outdated and unpatched software or other vulnerabilities on the server-side of things. Once access has been obtained, attackers are able to inject their JavaScript into any page using their new level of permission, including checkout pages.
  • Targeting – How do they target users? Hackers targeting online stores will install malware onto store-owned computers for better control over credit card information. If this is not possible, however, they might simply look for ways into your bank account directly. To achieve this they might attempt to hack your email, social media accounts or mobile app. The more data a hacker can obtain on an individual user the better the chance that they will successfully steal credit card information.
  • Data Collection – How do attackers get credit card details? As soon as customers enter their payment information into any page on an infected site, Magecart malware stealthily runs in the background and collects it as it appears in real-time. This allows hackers to collect all of the details needed for identity theft and fraudulent transactions even when users don’t complete checkout pages. This also gives them access to things like addresses and phone numbers which are useful later for phishing attacks. It should be noted that this only occurs if you are using Chrome browser Javascript is enabled.

How to prevent magecart attacks

As attacks get more sophisticated, it’s important for businesses to stay ahead of the curve by understanding how and why they occur. By taking a proactive approach to securing their business networks, companies can better protect against threats like Magecart that may go undetected for months.

Keep your site updated

Always check the latest version of a web application before you install it. This is the only way to be sure that you have installed the latest patches and security fixes for any bugs which might compromise your website.

Use HTTPS encryption when transmitting sensitive information

All of your site traffic should be encrypted which means all payment and login pages need to use https as well as all content pages (blog/instructions) where users enter their credentials e.g., username/password, credit card number etc. The certificate used for signing this traffic must match what you are using on your server-side too! Google will soon start penalizing sites with outdated certificates and eventually they will completely remove them from the search results. This means users who click on your site via Google may end up on a phishing page instead, which could be very bad.

Use proper authentication techniques

You should be using strong encryption and proper authentication mechanisms to protect your sensitive information. There are different types of encryption (including AES-256) but it’s hard to say which is best in terms of security because they all have pros and cons with certain use cases. For instance, when you manage multiple server environments (Dev/Test/Production) it can be difficult to keep track of what version is running where but if you’ve set these up properly it shouldn’t matter too much as long as they are configured identically across all environments. When configuring your passwords you should at least be using something like bcrypt or scrypt and perhaps a salted hash with a ridiculously high-cost parameter (e.g., 32 bytes). An alternative would be to use an authentication module like “Google Authenticator” which does not require users to remember their login credentials in order to log in thereby reducing the likelihood of cyberattacks involving brute force password guessing.

Check your website for malicious code

It’s always a good practice that an independent security firm checks your website for malicious code. You can also scan your site yourself using “Google’s Safe Browsing diagnostic tool” which is a free service that allows you to check if your site has been blacklisted by Google, Yahoo or Bing.

Use an application firewall

An application firewall can help block many types of attacks by monitoring traffic as it travels from one computer to another on the Internet. It can also monitor internal file transfers to prevent unauthorized data leakage from your private network via FTP or email. This is only one layer of protection so it’s still important to have other security measures in place, but application firewalls are helpful because they provide a lot of insight into what type of traffic is moving through your network and the destination addresses where it’s going.

Frequently asked questions about magecart

What are the dangers associated with magecart?

There is a new wave of cyberattacks that are targeting e-commerce sites and payment information. Magecart attacks occur when hackers inject malicious code into your web application in order to steal credit card or personal information entered on your website. In this type of attack, the victim can be the merchant (if they run an online store) or anyone using their website to make purchases or collect sensitive data (email addresses, passwords etc.)

Why don’t traditional cybersecurity tools stop magecart attacks?

Magecart attacks can be difficult to detect since the hackers often use very sophisticated techniques like SSL encryption to disguise their activities. An application firewall is designed specifically to help you identify and prevent suspicious activity from occurring on your website(s). When configured correctly, these measures could stop an otherwise successful Magecart attack.

How do I know if my website has been attacked?

Physically inspecting your computer for a virus is not always enough because they now come in the form of a short code that is injected into your machine’s memory and only runs when certain conditions are met. Injected code is also too small to trigger antivirus software or firewalls so it usually requires an expert to find them. You may see performance slowdowns or your website suddenly go offline. If you see suspicious activity on your site or in the logs, like hundreds of failed login attempts from a few different IP addresses, that could be a sign that someone has planted code on your site.

How long do magecart attacks last?

When properly implemented with an application firewall and other security measures such as SSL encryption, Magecart attacks are short-lived because they are designed to work quickly before they get detected or blocked by security software. However, when hackers get into your network and access your site as a ‘regular’ visitor, it could take weeks or months before you notice the damage they have done.

How do magecart hackers get in?

There are many ways that hackers can break into your network, but most often it involves phishing attacks or installing malicious software directly onto a computer or server. For example, malware can be installed on the victim’s device through a ‘drive-by’ download when they visit an infected website. Hackers target vulnerable websites by injecting malicious code into them via the website’s login page and payment system, as well as any other pages where credit card information is entered. The website owner doesn’t even know what happened until they start to see suspicious activity.

Magecart attacks are also now perpetrated by hackers using rogue wireless hotspots like at public places such as restaurants and coffee shops which allow Wi-Fi connections. If a victim connects to the hotspot and logs into their banking account or accesses any other private information on their device, hackers can steal that data even when they are not connected to the Internet.

Why don’t traditional cybersecurity tools stop magecart attacks?

The Magecart hackers have figured out how to get around your cybersecurity tools. A typical attack begins with hackers gaining access to a website’s server, which allows them to modify the site before it reaches your devices. Because of this, standard solutions like firewalls and IDS/IPS fail to recognize that anything is amiss because they are not looking at the right places in your system. An application firewall detects attacks on every page visited by the customer so you can take corrective action immediately without having to wait for an alert from a different security tool.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.