The Christmas holiday shopping season started this month and attackers are at it. Magecart, the malicious hacker group known for targeting online shopping cart systems, is actively attacking e-commerce websites.

What has happened?

The Magecart group has been observed using a credit-card skimming method to hijack PayPal transactions during checkout. They used a script called window.postMessage to make the malicious process look legitimate.
  • The group injected card-skimming scripts on checkout pages in compromised e-commerce websites to steal customers’ payment card details and other information.
  • The attackers hid their malicious code inside an image hosted on the server of the infected online store.
  • The attacker then uses the data stolen from genuine pages (items added in the shopping cart, total invoice amount along with taxes and additional charges), and uses it to pre-fill the fake PayPal forms during the victim’s checkout process to make its fake payment form look real.
  • Once a victim enters and submits payment info, the exfiltrated data will be sent (via skimmer) to apptegmaker[.]com, a domain registered in October, and associated with tawktalk[.]com.

Bad boys keep coming back to PayPal

  • In the last month, attackers were seen targeting the users of popular money transfer apps, including Paypal, Cash App, Zelle, and Venmo, as well as using these apps for other illegitimate purposes.
  • A network of 39 scam sites was discovered, targeting victims via a PayPal-UPS scam, exploiting some loopholes, and using PayPal as a gateway for stealing money from their victims.


With serial cyber attackers such as Magecart eyeing these payment gateways, clients need to be extremely cautious when implementing these. Therefore, experts suggest using sinkhole domains linked with Magecart infrastructure, updating software with the latest security patches, segregating servers, and staying alert while entering information online.
Cyware Publisher