Bottom Line Up Front: Magecart infections skyrocketed by 103% in just six months, with cybercriminals targeting thousands of e-commerce websites through sophisticated digital skimming techniques that steal customer payment data directly from checkout pages.
The digital shopping landscape faces an escalating threat that strikes where businesses are most vulnerable. A new report on payment card fraud shows that a Magecart e-skimmer infected nearly 10,000 unique eCommerce domains at any point during 2022. However, recent data reveals the problem has intensified dramatically, with attacks reaching unprecedented levels in 2024.
Magecart attacks represent a form of digital theft that targets online retailers by injecting malicious code into their websites. The name “Magecart” refers to several hacker groups that employ online skimming techniques for the purpose of stealing personal data from websites—most commonly, customer details and credit card information on websites that accept online payments.
These attacks affect organizations of all sizes. While the big names make the news, the majority of Magecart attacks are focused on small- and medium-sized organizations with 50 to 1000 employees.
Understanding the E-skimming Attack Method
E-skimming attacks work by compromising the checkout process that millions of customers trust daily. A Magecart attack refers to a type of cyberattack that targets ecommerce sites by injecting malicious code into checkout pages, allowing threat actors to “skim” user credit card details put into the HTML form.
The attack process follows a predictable pattern. Criminals inject malicious JavaScript code into e-commerce websites, typically targeting payment forms where customers enter sensitive information. This code captures credit card numbers, expiration dates, CVV codes, and personal details before sending them to servers controlled by attackers.
Furthermore, these attacks exploit the trust customers place in legitimate websites. E-skimming attacks take place directly inside of the user’s browsers, which is outside the organization’s security perimeter and hence outside of their security operations coverage.
The financial motivation drives this criminal activity. If threat actors collect between 130 and 160 cards per month from each of their infected websites and then sell them at an average price of $15 per compromised card, they could easily earn between $1,950 and $2,400 per month per infected website.
Recent Attack Surge Raises Alarm
The scale of recent Magecart campaigns has reached concerning levels. The most striking revelation came in raw numbers: Magecart infections skyrocketed by 103% in just six months. This dramatic increase reflects the growing sophistication and reach of cybercriminal operations.
Security researchers have documented massive campaigns affecting thousands of websites simultaneously. RiskIQ revealed that the Magecart group had compromised many more third-party web suppliers than was previously reported, with some attacks impacting over 17,000 domains through compromised Amazon S3 buckets.
Recent vulnerability exploitations have amplified the threat. CosmicSting (CVE-2024-34102 and CVE-2024-2961) – This was one of the most widespread attacks of the year, impacting 75% of Adobe Commerce and Magento platforms and compromising thousands of e-commerce websites.
Additionally, criminals have developed new tools to lower barriers to entry. Between March and July 2024, threat actors used Sniffer By Fleras to infect at least 488 e-commerce websites, demonstrating how commoditized attack tools are expanding the threat landscape.
Evolving Attack Techniques
Modern Magecart attacks have evolved beyond simple code injection techniques. Actors continue to move away from the injection of e-skimmer URLs directly into websites, opting for loader scripts that deobfuscate the e-skimmer URL upon execution.
Attackers now exploit trusted third-party services to avoid detection. In 2024, attackers heavily exploited trusted third-party services such as Google Tag Manager (GTM) to deploy skimming codes. This approach makes malicious activity harder to identify since it appears to come from legitimate sources.
Supply chain attacks have become increasingly common. One of the more alarming events in 2024 was the compromise of a commonly used open-source JavaScript library hosted on the Polyfill domain, which exposed thousands of websites to malicious code through a trusted resource.
The sophistication extends to evasion techniques. According to Malwarebytes, the Magecart software has tried to avoid detection by using the WebGL API to check whether a software renderer such as “swiftshader”, “llvmpipe” or “virtualbox” is used, helping attackers avoid security analysis tools.
High-Profile Victims and Industry Impact
Major brands have fallen victim to these attacks, creating widespread consumer concern. Notable breaches have affected Macy’s, Ticketmaster, American Cancer Society, P&G’s First Aid Beauty, British Airways, Newegg, and many organizations over recent years.
The restaurant industry has faced particular challenges. MenuDrive and Harbortouch, both of which are online ordering platforms for restaurants, were targeted by a single Magecart campaign that resulted in e-skimmer infections for 154 restaurants.
Educational institutions have also been targeted. Campus bookstores across North America experienced attacks affecting 201 campus book and merchandise stores serving 176 colleges and universities in the U.S. and 21 in Canada.
However, the majority of victims remain smaller businesses. It is important to note, however, that while the big names make the news, the majority of Magecart attacks are focused on small- and medium-sized organizations with 50 to 1000 employees.
Detection Challenges and Response Times
One of the most troubling aspects of Magecart attacks involves detection difficulties. The majority of skimming attacks are discovered after weeks or months in operation. This extended dwell time allows criminals to harvest thousands of payment cards before discovery.
The challenge stems from the attack’s technical characteristics. As often happens with Magecart attacks, this attack went unnoticed until the stolen credit cards surfaced on the dark web, as seen in the Hanna Andersson breach.
Traditional security measures often fail to detect these attacks. FIM is a vital tool. It’s not the only tool, it’s just another layer of security. If it’s properly installed and running correctly, FIM is good at telling you if a page in your shopping cart or in your card data environment has changed. But you also have to have people watching those alerts, according to security experts.
Furthermore, the volume of alerts can overwhelm security teams. The sheer volume of daily interactions on your websites could potentially lead to tens of thousands of additional alerts for your teams to inspect.
Economic Impact and Future Outlook
The financial consequences of successful attacks extend far beyond immediate theft. As a result of the breach, Hanna Andersson agreed to pay $400K in California Consumer Privacy Act (CCPA) related breach lawsuit. However, costs can reach much higher levels when considering regulatory fines and business disruption.
The threat shows no signs of slowing. The remainder of 2024 will likely see an increase in the exploitation of newly discovered vulnerabilities in widely used enterprise software. Security professionals expect continued evolution in attack techniques.
Regulatory changes may provide some relief. The PCI DSS 4.0.1 standard, set to take effect in March 2025, emphasizes monitoring client-side code changes on pages collecting credit card details.
Nevertheless, attackers continue adapting faster than defenses. As security teams race to keep up, they’re finding that traditional detection methods are failing. The sophistication of these new attacks, combined with their ability to blend in with normal website operations, has created a detection crisis.
Conclusion: A Persistent and Growing Threat
The Magecart menace represents one of the most significant threats facing e-commerce today. With attack volumes surging and techniques becoming increasingly sophisticated, businesses must prioritize client-side security as an essential component of their overall defense strategy.
Organizations cannot afford to treat this as merely a technical problem. The business impact – from regulatory fines to customer trust damage – makes Magecart prevention a critical business imperative. As criminals continue to exploit the trust customers place in online shopping, the race between attackers and defenders intensifies.
The question facing every e-commerce business today is not whether they might be targeted, but when. Are you prepared to protect your customers’ most sensitive data when that moment arrives?