Judith Wahnon

Judith Wahnon / 10 min read

Judith Wahnon

Judith Wahnon

-10 min read-


Digital credit card skimmers operated by organized hacker groups represent a serious and costly problem for ecommerce businesses.

Magecart is the name cybersecurity professionals use to refer to the hacker groups that orchestrate these sophisticated attacks. The name originates from a malware program used to execute this type of hack. Magecart groups insert malicious instructions into JavaScript code through vulnerabilities in ecommerce websites. By doing this, they are able to copy and transmit credit card data as customers are entering it into payment forms.

Even when companies discover and remove Magecart malware, it is extremely common for reinfection to occur within a matter of days.

The scale at which this is occurring should give pause. Some threat detection companies have estimated that over 50,000 internet domains have been compromised by Magecart in some capacity, including many of the most widelyused sites on the web. British Airways, Newegg, and Ticketmaster are just a few of Magecart’s high-profile victims.

In this guide, we will explain who is behind Magecart, how Magecart attacks are carried out, and how to prevent them from victimizing your business.

Industry experts do not believe that Magecart represents a single, unified group of hackers.

As many as seven different groups appear to be operating on the model of the initial Magecart hack, and may be working together to some extent.

Each group appears to have a slightly different approach, and several have found ways to make Magecart attacks more effective. Some have carefully targeted specific, high-value victims. Others have adopted a scattershot approach: trying to spread Magecart malware far and wide as possible in an effort to spawn numerous illicit revenue streams.

It’s the latter methodology that is currently causing significant grief for ecommerce websites and their security providers. Some consider Magecart attacks to be a “spray and pray” tactic, seeking vulnerable websites, and attempting to infect huge numbers of them — many of which don’t even engage in ecommerce.

Magecart Tactics

One way Magecart groups manage to avoid detection is by not using stolen credit card numbers themselves. Instead of running up purchases on a stolen card before it’s discovered and cancelled, Magecart groups sell stolen numbers in bulk on the dark web.

Many Magecart attacks involve infecting third-party software that runs on the victim’s ecommerce site. This makes detection and removal even more challenging.

Magecart is a problem that every ecommerce company should have a strategy for dealing with. Consumers tend to hold companies responsible for their security breaches. Few consumers will bother to make a distinction between a company that is lax about security and one that has been compromised by a third party, and is as much a victim as the consumer.

This happens regularly, even when security protocols are stringent — because hacker syndicates are working around the clock to find vulnerabilities. While the loss of revenue from a cyberattack can be calculated, the loss of consumer trust cannot.

The 7 Heads of the Magecart Hydra

To combat Magecart effectively, it can be helpful to examine what is known about how these attacks originated and who is believed to be responsible for them. No matter how technologically sophisticated a cyberattack may be, it is still ultimately a human endeavor.

There are seven known groups of evil-doers behind the Magecart attacks. The one thing that ties them all together is their use of skimmer malware based on the original Magecart concept.

1. Magecart Group One

This is the group responsible for coding and unleashing the original Magecart skimmer back in 2014 or 2015. The original operation started by targeting thousands of sites with attacks and single-use servers for hosting the malware and storing the collected data.

The original skimmer was a bit of JavaScript code that would be embedded in eCommerce web pages, reading credit card numbers as shoppers entered them and sending them back to a singleuse server controlled by the hackers.

It is believed that at one point, this group tricked job hunters in the United States into making purchases with these stolen credit card numbers and shipping the goods to destinations in Eastern Europe. This group no longer appears to be active, but they victimized more than 2,500 websites in their heyday.

2. Magecart Group Two

This group operates on the same model as group one. It employs similar tactics, including using stolen cards to ship goods overseas where they can be resold. Some security experts believe this to be an offshoot or continuation of group one.

3. Magecart Group Three

Primarily targeting eCommerce businesses based in Latin America, this group first appeared in 2016.

It has attacked more than 800 different online stores. This group uses a “smart” version of the Magecart skimmer.

instead of checking the URL to see if it’s running on a checkout page, instead it checks if any forms on the page hold payment data it can steal. Its goal is to ensure that it has captured and exfiltrated all the customer names and addresses it can find.

4. Magecart Group Four

The fourth group is believed to have links to other organized crime syndicates.

This prolific group has compromised more than 3,000 websites, grabbing as many cards as it could from as many sites as it could reach.

It uses impersonating tactics (mainly in the form of registering domains that look similar to known advertisers, analytics services, and eCommerce sites) to disguise its malware activity as normal web traffic, hiding it from security analysts.

Researchers report that group four uses advanced tactics, and is “extremely careful” with skimmer placement. It focuses on compromising a high volume of sites, with the goal of stealing as many cards as possible without specifically targeting anyone.

5. Magecart Group Five

This group’s calling card is its method of targeting third-party service providers. its members infect the JavaScript code of web apps, which compromises the eCommerce websites of their clients. This tactic makes the group’s hacks harder to detect, and allows them to potentially infect dozens of victims with a single successful attack. Group Five is believed to have mastermined the Ticketmaster attack.

First seen in 2016, this group has compromised at least twelve victims so far. The way it hijacks the web supply chain is unique, according to researchers, because any service that provides ads, content, analytics, or other functionality can be targeted. A successful attack on a single one of these providers can result in thousands of sites being compromised without any individual merchants being targeted.

6. Magecart Group Six

With a focus on high-value targets like British Airways and Newegg, the sixth group has drawn the most attention from experts and the media.

By targeting big prizes like these, its members can acquire a large set of credit card numbers — even if their malware is discovered and removed quickly.

They sell the stolen numbers in bulk to other criminals and fraudsters.

Targeting first and third party code alike, this group keeps a low profile for weeks, even months after infecting a victim. It operates on a large and elaborate scale, with potentially hundreds of thousands of datasets of personally identifiable information at stake—enough to completely ruin a Fortune 500 company.

7. Magecart Group Seven

First identified in 2018, the newest Magecart group has 100 names on its list of victims so far.

This group’s distinctive feature is transmitting stolen data to other compromised websites instead of its own servers, which has made it harder to track and locate its members.

Because they hijack servers belonging to their victims, they are a lot harder to take down than earlier Magecart groups.

Usually, Magecart is remediated by taking over and sinkholing impacted domains, but because these hijacked domains are legitimate, the process of remediation for victims of group seven takes much longer. Cooperation from the site owner is required, and removing the skimmer while preserving forensic data can be a challenge.

The 3 Vulnerabilities Magecart Exploits

A successful Magecart attack depends on getting JavaScript malware installed into the victim’s website, specifically in a checkout page or another page on which a customer might enter credit card information. There are various ways to infect a host website with the necessary malware.

Magecart attacks typically use one of the following four methods:

1. Targeted Attack on a Specific Website

Magecart groups may focus on a particular site because it represents a highvalue target, or because of known vulnerabilities that can be easily exploited. For instance, Magecart often targets Magento shopping cart software. Vulnerabilities in the PHP scripts that power Magento were first discovered in 2013, and the initial (and many subsequent) Magecart attacks were based on inserting code that would pull cardholder data and transmit it to a drop server.

One notable example was Magecart’s attack on MyPillow. The initial infection was soon discovered and removed.

Magecart was able to infect the victim a second time by targeting JavaScript vulnerabilities in its customer service live chat software. British Airways is another example. In that incident, Magecart found its way in through the airline’s baggage claim information page.

2. The Trojan Horse

In this approach, hackers trick companies into installing Magecart themselves by hiding it in innocuous apps or code. While most companies’ IT departments are smart enough to forbid the installation of software that hasn’t been properly sourced or vetted, Magecart has had some success by hiding itself in GitHub projects.

In this case, the vulnerability the hackers exploit is entirely human. Sysadmins and programmers under pressure may not always take a close look at what’s in the code they’re utilizing, or they may put too much trust in software that has been reliable in the past but has not kept up with the current state of security technology, leaving it vulnerable to appropriation as a vehicle for hidden malware.

3. The Supply Chain Attack

Rather than target eCommerce companies directly, this method targets the third-party software these companies employ on their websites. This has the potential to infect countless sites being served by a single third-party provider. As such, it can be much harder to trace and identify the hack.

Because third-party software typically has permission to execute scripts on a client’s website, it can be used to circumvent any number of security measures that would stop external attacks.

Magecart was able to infect the France-based ad network Adverline. From that one breach, these hackers were able to plant their skimmers on at least 277 of Adverline’s websites.

Even more troubling is the fact that many third party software providers incorporate their own third-party solutions in their own software. Magecart was able to compromise the ad network Flashtalking, and while this did not result in a significant theft of credit card data, it is believed that Magecart would have been able to infect many of Flashtalking’s users, with no easy way to determine who or how many.

4. The Combination Hack

One of the more recent and significant Magecart attacks involved targeting as many Amazon S3 instances as hackers could locate.

Many Amazon S3 instances are improperly configured, and contain security gaps that Magecart can slip right through.

This attack combined elements of both the second and third methods. While not considered one of the “big three” Magecart attack methods, this new hack is worth noting for its combination of tactics.

The Life Cycle of a Magecart Attack

Let’s walk through what happens when an eCommerce site suffers a Magecart attack. While every Magecart attack shares commonalities in its fundamental concept, the details of the execution can vary considerably. However, we can sketch out an outline of what will typically occur.

First, the hackers select their target. It might be a specific eCommerce site; it might be a third-party software provider; or the hackers might opt for a scattershot attack that attempts to infect as many unspecified victims as possible.

Next, the hackers devise a way to plant the Magecart skimmer code into their targets’ websites. This can be a passive approach, as in the case with the infected GitHub code left up to be copied and used by anyone. Alternatively, it may involve bespoke coding and delivery attempts that take advantage of specific vulnerabilities unique to the target.

The attack begins once the Magecart JavaScript code has been placed where it can intercept form data entry from website visitors.

The hackers will keep a low profile while the Magecart malware lies in wait.

During this time, customers make purchases on the website. When they enter their credit card information, Magecart transmits the customers’ credit card data and personal information back to a server that the hackers can access. The hackers are then free to use those stolen credit card numbers, or to sell them on the black market.

The Magecart attack methodology highlights the importance of securing eCommerce website and software infrastructure at every level, especially where sensitive user data is stored and managed. Magecart is adaptable enough to gain a foothold through shopping cart software, cloud hosting, advertising networks, and proprietary applications. Securing a website against it requires a comprehensive approach.

Magecart’s Targets

If you run a website that uses shopping cart software, hosts third-party software, or runs any JavaScript programs, you’re a potential target for Magecart.

You’re now probably looking over your shoulder, wondering if you’re already the next Magecart victim.

You’re not wrong to be a little paranoid. If you run an eCommerce site that accepts credit card payments, you can bet that one or more Magecart groups would be very interested in going after you. The sheer number of potential victims in the eCommerce sphere may afford you some protection based on the sheer numbers alone. However, when it comes to looking out for your customers, revenue, and reputation, you can’t afford to gamble on avoiding a major security breach through the luck of the draw.

Major Magecart Attacks

A closer look at a few notorious Magecart attacks sheds light on how the hackers succeeded in compromising their targets, and what to avoid to prevent being victimized by similar attacks.

Data belonging to hundreds of thousands of customers was compromised when the airline suffered a Magecart attack in 2018.

This was a targeted attack that made use of a vulnerability in Modernizr, a JavaScript library used on British Airways’ website. The group behind this attack inserted the Magecart code into Modernizr, which then began sending captured data from payment forms to a server in Romania.

More than half a million credit card numbers were stolen. As a consequence, British Airways was penalized $229 million for failing to meet user privacy requirements mandated under the GDPR. This was the highest fine levied for a GDPR violation to date.

Also in 2018, Ticketmaster UK was attacked via the Inbenta AI software it had embedded in its website. Ticketmaster and Inbenta were quick to point fingers at each other once the breach was discovered. Inbenta claimed that it was only vulnerable because of customized code Ticketmaster had asked the company to include in its product.

Discovery didn’t happen very quickly. Ticketmaster only became aware that it had been hacked when a London bank contacted its employees after noticing suspicious credit card activity.

Ticketmaster claims that less than 5% of their global customer base was affected, but that could still encompass a huge data breach.

This large computer and electronics retailer was the victim of a Magecart attack in August 2018.

The sophisticated attack involved the registration of a copycat domain name and customized skimmer code. The malware was able to remain in place and operative for an entire month before it was found.

In early 2019, a Magecart attack targeted this eCommerce platform that serves college bookstores. Like the British Airways attack, it exploited vulnerabilities in a JavaScript library by disguising itself as a Google Analytics script. This particular Magecart variant, which is being called Mirrorthief by security experts, has unique qualities in its network backend and data encryption methods. More than 200 different online college bookstores were impacted by this breach.

Preventing Magecart Attacks

By this point, we’re confident that you understand what a serious threat Magecart represents.

Magecart is not a simple or predictable attacker. It can find its way into a website through a variety of entry points. The various Magecart groups seem to specialize in different approaches, rendering a wide swath of eCommerce sites vulnerable to attacks on a wide range of disparate vectors.

Fortunately, there are practical steps companies can take to protect themselves. Defending your site will invariably involve a multi-pronged approach. This incorporates frequent testing and review, in order to maintain a good defensive posture against future iterations of this highly adaptable threat.

In broad strokes, a solid anti-Magecart strategy will include:

  • 24/7 monitoring of the website’s data flow, with protocols in place to detect code injections or modifications within the site, as well as possible anomalies in data collection.
  • Alerts and swift action to block attacks.
  • A method of gathering insights into any attack that does occur, as well finding ways to mitigate risk and prevent such an attack from recurring.

Third-party security providers with experience in eCommerce hijacking attacks, like Namogoo, can also be a valuable resource in the fight against organized hacking attempts. In particular, providers with this experience have insights into how both first-party hacks and third-party breaches can occur. They can recommend specific preventative measures that would go overlooked by other cybersecurity professionals.

How Namogoo Prevents Magecart Attacks

Namogoo’s deep understanding of code behavior, proprietary anomaly detection algorithms and 10 Billion page views, allows us to alert you when a threat is detected.

Namogoo’s technology is trained to automatically learn the behavior of any code and domains running on the site, detect suspicious behavior that exceeds from routine and trigger real-time alerts that are adaptive to any site. Providing you the tools to track and mitigate any changes occurring on your website.

By leveraging the 10 Billion page views and tens of thousands of domains and code snippets covered on a weekly basis, Namogoo provides a dynamic risk score that allows you to prioritize, mitigate and prevent potential Magecart threats aimed at your website.

Namogoo’s continuous auditing capabilities identify behavioral changes and malicious patterns that enable ongoing prevention of threats and vulnerabilities. It provides ongoing real-time insights and alerts into data privacy threats posed by Magecart attacks including:

  • New injected or modified script added to the website (with a dedicated focus on sensitive sections such as Checkout and my Account)
  • New dependencies between 3rd/4th party services
  • New domains added with similarities to existing domains

Namogoo’s Benchmark Threat Alliance

A closer look at a few notorious Magecart attacks sheds light on how the hackers succeeded in compromising their targets, and what to avoid to prevent being victimized by similar attacks.

Data belonging to hundreds of thousands of customers was compromised when the airline suffered a Magecart attack in 2018.

This was a targeted attack that made use of a vulnerability in Modernizr, a JavaScript library used on British Airways’ website. The group behind this attack inserted the Magecart code into Modernizr, which then began sending captured data from payment forms to a server in Romania.


Magecart attacks are sophisticated and ever evolving. This means that continuous monitoring is required in order to provide real-time insights. You’ll need to be able to take prompt and effective steps to excise Magecart’s malicious code — and protect your website against reinfection.

Any monitoring solution should review all third- and fourth-party vendors that collect and process customer data; analyze the number of data points collected; and pinpoint where and how they are extracted and shared. The goal is to achieve full visibility and control of your website at all times.

There’s a lot of code running on a modern eCommerce website. It is crucial to understand the root causes of any code modifications, and the exact elements that could lead to a data breach. If you’re unsure where to start when it comes to protecting yourself from Magecart, Namogoo can help test your website for vulnerabilities and recommend your next steps.

Judith Wahnon
Judith Wahnon

Judith is the Director of Product Marketing at Namogoo. She is the go-to person for the why, how, and what of our amazing products. When she isn’t busy clearly defining our messaging, she spends her time cooking and baking delicious gluten-free food.