A newly uncovered Magecart operation shows how web-based attacks on online stores are becoming more advanced.
Magecart Campaign Overview
The attackers are running a wide campaign that relies on more than 50 unique JavaScript files. These scripts are planted across multiple e-commerce sites and interfere with checkout and user registration pages.
Instead of silently collecting payment details, the scripts actively change the checkout experience. They alter page behavior to avoid security protections and guide customers toward attacker-controlled payment steps.
What makes this campaign unusual is its level of tailoring. The attackers built separate scripts for different payment services, including Stripe, Mollie, PagSeguro, OnePay, and PayPal.
Each script first checks which payment provider a site is using. It then loads a fake payment interface that matches that provider, making the attack harder to notice.
Code analysis shows that legitimate payment elements can be disabled entirely. In one case, a built-in function prevents Stripe’s secure payment frame from appearing, forcing users to interact with the attacker’s replacement form instead.
Advanced Evasion Techniques
The attackers behind this campaign use several tricks to stay hidden and avoid detection by security tools and researchers.
In some cases, the malicious code checks whether the entered data looks real. If it detects test or fake information, the script stays inactive or sends harmless data so it does not raise suspicion during security scans.
The scripts also add hidden form fields to the webpage. These fields are invisible to shoppers but are used to quietly collect and send stolen information to the attackers.
At the same time, the checkout process continues to work normally. Customers complete their purchases without noticing anything unusual, even though their data is being captured in the background.
More concerning is how the attack goes beyond stealing card details. In certain cases, attackers used stolen credentials to create fake administrator accounts in the store’s management system. This allows them to keep access even after the original website weakness is fixed.
The scripts are built to collect more than just payment data. They also steal login details, personal information, and account recovery data, which can later be used for account takeovers and long-term access.
IOCs
bitbaystats.\com
bootstrap-sdn.\com
cdn-htojar.\com
claritycrown.\com
ftp-opencart.\com
googlemanageranalytic.\com
gtm-analyticsdn.\com
hotanalytic.\com
jquery-minical.\com
jquery-stupify.\com
sdn-jquary.\com
sdn-optima.\com
staticsinfo.\com
supluyers.\com
Leave A Comment