Magecart Group 12, a group of hackers who target online shops and e-commerce websites, is now spreading malicious PHP web shells masked as favicons. Web shells allow the group to maintain remote access to the targeted servers. Following this, JavaScript skimmers are injected into online shopping platforms for stealing financial information.

What happened?

According to a researcher from Malwarebytes, malicious PHP web shells named Megalodon or Smilodon are used for dynamically loading JavaScript skimming code with server-side requests into online stores.
  • The PHP-based web shell malware—masked as a favicon—is hidden into the targeted sites with a path to fake PNG image files instead of legit shortcut icon tags.
  • In turn, this web shell is configured to obtain the next-stage payload from an external host, a credit card skimmer that has similarities with other variants used in Cardbleed attacks.
  • Usually, injected skimmers make a client-side request to an external JavaScript resource hosted on an attacker-controlled domain, however, in recent attacks, it’s done at the server-side.
  • Such types of attacks are known as formjacking attacks, in which a JavaScript skimmer code is stealthily inserted by its operators inside a single or multiple e-commerce websites.

Recent Magecart attacks

Magecart attacks are becoming more common and have targeted several online platforms around the world in the past few months.
  • Last month, VISA saw a growing trend of web shells being used to inject JavaScript-based credit card skimmers into hacked online stores in web skimming or Magecart attacks.
  • In February, Magecart type attacks were found abusing Google's Apps Script business application development platform to steal credit card details.


The cybercrime syndicate is intensifying its efforts to compromise online stores with a wide range of attack vectors. In addition, skimming has become a prevalent and lucrative business for cybercriminals. Therefore, organizations are recommended to stay protected by deploying security measures to detect and stop such skimming attacks.

Cyware Publisher