A multi-platform credit card skimmer has been identified that targets online stores based on popular platforms, including Shopify, Zencart, Woocommerce, and BigCommerce. The skimmer can be used to harvest payment details on compromised stores and is linked to the Magecart group.

What happened?

The first programmatically generated exfiltration domain used by the skimmer in this campaign was first registered on August 31. This suggests that this Magecart campaign has been active for a long time.
  • This skimmer (also known as a Magecart script) can target Shopify and BigCommerce, even though these platforms do not allow or use any custom Javascript on checkout pages.
  • It does so by displaying a fake payment page before any customers land on the real checkout form and uses a keylogger to intercept personal and payment information.
  • Once the customers have entered their credit card information, the skimmer will show an error and customers will be redirected to the real payment page to avoid any suspicion.
  • Attackers may have breached a shared component, such as software or a service used by all compromised merchants. This could be the reason behind multiple compromised e-commerce platforms.

Recent attacks

Magecart attacks on e-commerce websites have increased drastically during the holiday season.
  • Recently, a credit card stealer script was found hidden in plain sight using CSS code to avoid detection. Due to this, it was able to bypass detection by automated security scanners and avoid raising any flags even when examined in manual security code audits.
  • A malware was found deployed on several Magento-powered online stores and it was programmed for automatic activation on Black Friday.


In recent months, Magecart campaigns have been using innovative tactics for evading detection. Thus, experts suggest consumers stay extra cautious and use two-factor authentication, as well as virtual cards for every financial transaction. In addition, organizations are recommended to regularly assess their third-party vendors’ security.

Cyware Publisher