What is Magecart?

Magecart is an umbrella term for groups of cybercriminals and hackers who target e-commerce and other online shopping services to steal customer payment card information, credit card numbers and other personal information. Magecart got its name from the Magento shopping cart system - its popularity with some of the world’s leading e-commerce websites made it an attractive target for hackers. Attacks that exploit services like Magento to attack the websites using them are known as supply chain attacks. Magecart-type attacks are so widespread that the name is synonymous with any kind of credit card skimming or digital skimming attack.

How does Magecart work?

Magecart uses card skimming code, code injections and other data exfiltration techniques to steal user data, including payment card details, from business websites.

Magecart skimmers have been detected on over two million global websites. The idea behind Magecart and similar attacks is to compromise a third-party piece of software on a retail website, like shopping carts, checkout pages or payment pages to steal customer data.

What makes Magecart so successful is that these attacks can go undetected for months or even years. All the malicious code is executed in the user’s browser - the ‘client-side’. It doesn’t impede the transaction in any way, so the customer carries on, the retailer receives their payment and no one detects the attack until it’s too late.

Guide: Taking the Risk Out of Digital Transformation


how magecart works

Who does Magecart target?

Magecart mainly targets e-commerce and other online shopping websites.

High-profile Magecart attacks on global brands include British Airways, Macy’s, Ticketmaster, NewEgg and OXO. In reality, any sensitive data entered into any online web form can be breached using a Magecart attack. Online businesses struggle to prevent Magecart because they often lack visibility into their web-facing attack surfaces, such as chatbots, shopping carts or other JavaScript integrations they use to enhance the user experience on their website. e-Commerce site owners often have no idea that they are running unsecured code or code from a breached service provider on their website.

Magecart attackers are effective at exploiting unpublished zero-day vulnerabilities to attack online retailers and other websites. There are no patches for these vulnerabilities and, in most cases, website owners are unaware that the problem even exists.

What's the difference between Magecart and formjacking?

Magecart is a type of formjacking - both exploit vulnerabilities in websites to steal data while it is being entered by end users.

Magecart refers to a global consortium of cybercriminal gangs, all acting independently but using similar techniques to launch credit card skimmers and other data theft attacks.

Formjacking involves the use of malicious JavaScript to send attackers a copy of any information the user enters into a form on the website, such as payment information or other personally identifiable information (PII).

What all of these attacks have in common is they exploit JavaScript and other third-party integrations to steal information. Formjacking and Magecart are difficult to detect because the transaction completes normally - the website owner and customer are unaware of what has happened.


How Magecart has evolved

It’s never been more important to defend against Magecart and other client-side attacks.

Magecart is known to have been active from 2016. It grew from a single group injecting web skimmers on e-commerce sites but it wasn’t long before new groups appeared using different types of skimmers and adapting their malicious code injection techniques.

In 2018, it was listed on Wired Magazine’s Most Dangerous People on the Internet – the same year that a Magecart attack on British Airways’ website resulted in a massive data breach of over 565,000 credit cards at a cost of $230m in fines, the biggest GDPR fine to date. The threat is persistent: one-in-five Magecart-infected stores are re-infected within days. That’s because hackers often hide malicious code in multiple locations on a site, using backdoors, rogue admin accounts and reinfection mechanisms to regain a toehold after the business thinks the attackers have gone.

The global pandemic has driven an unprecedented increase in online transactions and e-commerce. By mid- April alone, US retailers’ online YoY revenue growth was up 68%, with a 146% growth in all online retail orders. As millions of people worldwide are affected by stay-at-home orders, we’re beginning to see a dramatic shift in consumer behavior towards everything-online. While many have observed that the digital disruption in commerce is inevitable, this crisis has accelerated that trend. To learn more about Magecart and other client side attack data, download our 2020 state of the web report.

Global Data at Risk: 2020 State of Web Report

How to prevent Magecart attacks

Control Risk. Manage Trust.

Protect your website from client-side attacks with Tala Security. Tala prevents Magecart attacks by combining the power of standards-based security with patented analytics and automation to deliver rich insights into the code running on your website and safeguard it from attacks. Tala’s Web Application Runtime Protection (WARP) eliminates client-side vulnerabilities that lead to browser session attacks and data theft. Learn more about how Tala protects websites with WARP or view the solution brief

protect against magecart

Is your website safe from Magecart attacks?

Request a free website analysis to find out.