How to Prevent Magecart Attacks from Stealing Customer Payment Data

Magecart attacks are sophisticated client-side attacks that target online businesses to steal sensitive customer information, particularly credit card details. Named after the popular e-commerce platform Magento (one of its first targets), Magecart refers to both a specific attack technique and several hacker groups that use similar methods to steal payment information directly from browsers.

Unlike traditional server-side breaches, these attacks operate by injecting malicious JavaScript code into a website’s checkout page. This code silently captures credit card information as customers enter it, after which it transmits the data to servers controlled by the attackers.

What makes these attacks dangerous is that they happen in real-time within the customer’s browser, leaving no obvious signs of compromise on the website’s server. Since the first mass-executed Magecart attack in 2015⁽¹⁾, these threats have grown increasingly sophisticated. Today, Magecart attacks have compromised over 2 million websites globally⁽²⁾.

Key takeaways

• Magecart attacks target e-commerce websites by injecting malicious JavaScript code to steal customer payment data during checkout.
• The attacks primarily target client-side scripts, making them difficult to detect with traditional security measures like web application firewalls (WAF).
• To protect your business, implement client-side monitoring, practice third-party vendor management, regularly update software, and consider specialized solutions like DataDome Page Protect.
• The PCI DSS 4.0 standard requires new client-side security measures, making Magecart protection not just recommended, but essential for compliance.

How do Magecart attacks work?

Understanding how Magecart attacks work is crucial for defending against them. These attacks typically follow a three-stage process:

Magecart attacks operate entirely in the user’s browser

1. Infiltration

Attackers gain access to inject their malicious code through one of several entry points:

• Direct website compromise: By exploiting vulnerabilities in content management systems or e-commerce platforms, attackers gain access to modify website code directly.
• Supply chain attacks: Instead of targeting a website directly, attackers compromise the third-party services that the website uses, such as analytics tools, chat widgets, or payment processors. When the website loads resources from these compromised vendors, the malicious code is loaded along with the legitimate code.
• Misconfigured storage: Some attacks target misconfigured cloud storage systems like Amazon S3 buckets that contain website resources, allowing attackers to modify the JavaScript files that are stored there.

2. Implantation

Once attackers have access, they implant skimming code using various techniques:

• JavaScript injection: Attackers insert malicious JavaScript that operates alongside legitimate payment processing code. This code captures form field data as customers enter it.
• Form field cloning: Some attacks create invisible duplicate form fields that capture data as the customer types.
• Fake payment forms: More sophisticated attacks replace legitimate payment forms entirely with fraudulent but visually identical versions.
• Code obfuscation: To avoid detection, the malicious code is often heavily disguised using techniques like Base64 encoding or breaking the code into seemingly random segments.

3. Data exfiltration

Once the skimming code has collected credit card information, it transmits the data to attacker-controlled servers using various methods:

• Direct transmission: Data is sent directly to domains controlled by attackers, often disguised to look like legitimate services (like google-analytics.net instead of google-analytics.com).
• Stealth exfiltration: Some skimmers store collected data in browser storage and transmit it in small batches, or when the user navigates away from the page. This makes the transmission harder to detect.

What makes Magecart attacks particularly effective is that the entire process happens client-side. In other words, it happens in the user’s browser. Traditional server-side security measures are often blind to these attacks because they don’t intercept or analyze the code running in the user’s browser. The transaction appears normal to both the customer and the business.

Why Magecart attacks are so effective

Several factors contribute to the success and persistent threat of Magecart attacks:

Difficult to detect

Unlike server-side attacks that might trigger security alerts or leave logs, Magecart attacks operate in a user’s browser. This client-side operation means traditional security tools like web application firewalls (WAFs) and intrusion detection systems often miss these attacks entirely.

Exploitation of third-party scripts

Modern websites rely heavily on third-party services for analytics, chatbots, payment processing, and other functions. Each third-party script represents a potential entry point for attackers. According to HTTP Archive, the average website uses 23 third-party scripts on desktop⁽³⁾, significantly expanding the attack surface.

Sophisticated obfuscation techniques

Magecart operators use advanced techniques to hide their malicious code, including:

• Base64 encoding to disguise code content
• Breaking code into seemingly random segments
• Mimicking legitimate services in domain names and code structure
• Using polymorphic code that changes its signature regularly

Persistent reinfection mechanisms

Websites that were previously infected with Magecart are often reinfected within days. This is because attackers:

• Create multiple backdoors and rogue admin accounts
• Implement hidden periodic tasks and database triggers to reinstall the skimmer
• Exploit zero-day vulnerabilities that lack security patches

Evolution of attack methods

Magecart techniques continue to evolve, with recent attacks showing increased sophistication: The “Ant & Cockroach” technique targets URLs linked to checkout pages rather than the pages themselves. “Radix” obfuscation makes malicious code nearly impossible to detect through manual code review. Other attack methods involve the impersonation of legitimate services like Google Tag Manager to avoid suspicion.

Business impact of Magecart attacks

The consequences of a Magecart attack extend far beyond the immediate theft of customer data:

Financial losses

Companies face multiple financial impacts, including:

• Fraud investigation and remediation costs
• Regulatory fines (like GDPR penalties that can reach up to 4% of annual global turnover)
• PCI DSS non-compliance penalties and potential loss of ability to process credit cards
• Legal costs from customer lawsuits

Operational disruption

Responding to a Magecart attack often requires significant resources:

• Emergency IT team mobilization to identify and remove the infection
• Temporarily taking websites offline during remediation
• Implementing new security measures while maintaining business operations
• Managing communication with affected customers

Reputational damage

Perhaps the most significant long-term impact is the loss of customer trust. E-commerce businesses that experience a Magecart breach typically see a significant decrease in online sales in the months following the incident, as customers become wary of shopping on the affected site.

Regulatory consequences

With the introduction of stricter data protection regulations worldwide, businesses face increased scrutiny and potential legal consequences after a breach. For instance, the British Airways Magecart incident resulted in a £20 million fine under GDPR regulations.

Notable Magecart attacks

Several high-profile Magecart incidents have made headlines, demonstrating how even major companies with significant security resources can fall victim:

British Airways (2018)

One of the most notorious Magecart attacks targeted British Airways, affecting approximately 380,000 customers⁽⁴⁾. The attackers customized their skimming code specifically for British Airways’ website structure and managed to modify both the web and mobile applications. The breach went undetected for several weeks, during which customer payment details and personal information were continuously stolen. The attack led to a £20 million GDPR fine and significant reputational damage.

Ticketmaster (2018)

Ticketmaster fell victim to a Magecart attack through a compromised third-party chatbot service from Inbenta Technologies⁽⁵⁾. The hackers injected skimming code into the chatbot script, which was loaded into payment pages. The breach affected over 800 e-commerce sites using the same service and remained active for nearly nine months before discovery.

Tupperware (2020)

Home products retailer Tupperware was compromised when attackers inserted a fake payment iframe that looked identical to the legitimate payment form⁽⁶⁾. The attack lasted for several days and was discovered on March 20, 2020. The malicious iframe loaded from a domain designed to look like a legitimate part of the Tupperware infrastructure.

Cisco (2024)

The Cisco merchandise website was targeted by a Magecart attack that injected malicious JavaScript code to steal sensitive customer information during the checkout process⁽⁷⁾. The attack was associated with a critical vulnerability in Adobe’s Magento software known as CosmicSting (CVE-2024-34102). The vulnerability had been patched a few months earlier, but Cisco hadn’t yet patched their software.

These examples illustrate how Magecart attacks can target businesses of any size and remain undetected for a long time. They also highlight the variety of techniques attackers use to compromise websites and the significant consequences for the affected businesses.

How to protect your business from Magecart attacks

Defending against Magecart requires a multi-layered approach that addresses both prevention and detection:

Understand and manage third-party risk

Start by creating a comprehensive inventory of all third-party scripts running on your website, particularly on payment pages. For each script:

• Document its purpose and the data it can access
• Verify the vendor’s security practices and request regular code audits
• Consider whether the functionality could be brought in-house for critical functionality
• Implement a formal review process for adding new third-party scripts

When possible, load third-party scripts from your own servers rather than directly from third-party domains. This gives you more control over the code and allows you to implement integrity checks.

Implement client-side monitoring

Since Magecart attacks operate in the browser, client-side monitoring is essential:

• Deploy solutions that can detect unauthorized script behavior in real-time
• Monitor changes to the Document Object Model (DOM) on sensitive pages
• Set up alerts for suspicious data transmission, especially from payment pages
• Regularly scan your website from different geographic locations to catch region-specific attacks

Utilize content security policies (CSP)

Content Security Policies help restrict which scripts can run on your website:

• Define which domains are allowed to load JavaScript on your pages
• Implement subresource integrity (SRI) to ensure scripts haven’t been modified
• Set up reporting to be notified of policy violations
• Regularly review and update policies as your website evolves

Keep software updated

Maintaining current software versions is a fundamental security practice:

• Apply security patches promptly to all web applications and plugins
• Regularly update content management systems and e-commerce platforms
• Monitor security announcements from vendors and third-party services
• Consider automating security updates where possible

Implement specialized Magecart protection

Use specialized solutions designed specifically to address Magecart threats. DataDome Page Protect offers comprehensive protection against client-side attacks, including:

• Real-time monitoring of JavaScript behavior
• Detection of unauthorized code modifications
• Immediate alerts for suspicious activities
• Compliance with PCI DSS 4.0 requirements for client-side security

DataDome Page Protect resolves security incidents automatically

PCI DSS 4.0 and Magecart protection

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 introduced significant new requirements specifically aimed at preventing Magecart-style attacks. By March 2025, organizations that process payment card data had to comply with:

Requirement 6.4.3

This requirement mandates that organizations manage and control payment page scripts that could impact security, particularly those that transmit payment data. Organizations must maintain an inventory of these scripts and ensure their integrity.

Requirement 11.6.1

This requirement calls for implementing a change and tamper detection mechanism to alert personnel to the unauthorized modification of payment page scripts. This directly addresses the Magecart attack vector by requiring active monitoring of client-side code.

These new requirements acknowledge the growing threat of client-side attacks and make comprehensive Magecart protection not just a best practice but a compliance necessity. Solutions like DataDome Page Protect are designed specifically to help organizations meet these requirements while providing robust protection against evolving threats.

Conclusion

Magecart attacks are a significant and evolving threat to online businesses. By operating within the user’s browser rather than attacking server infrastructure directly, these attacks bypass many traditional security measures and can remain undetected for months while harvesting sensitive customer data.

Protecting your business requires a multi-layered approach that includes understanding third-party risks, implementing client-side monitoring, creating content security policies, keeping software updated, and using specialized Magecart protection solutions.

DataDome Page Protect is a comprehensive solution specifically designed to defend against Magecart and other client-side attacks. It provides real-time monitoring of all script activities on your payment pages and automatically detects and blocks unauthorized code modifications and suspicious behaviors.

By implementing DataDome Page Protect today, you not only protect your customers’ sensitive information, but also safeguard your business’s reputation and financial health in an increasingly regulated digital environment. Visit datadome.co/products/page-protect to request a demo of the solution for your company’s security strategy.

References

1. https://thehackernews.com/2015/06/magento-hacking.html
2. https://www.darkreading.com/endpoint-security/magecart-skimmers-spotted-on-2m-websites
3. https://almanac.httparchive.org/en/2021/third-parties#third-party
4. https://en.wikipedia.org/wiki/British_Airways_data_breach
5. https://www.bbc.co.uk/news/technology-54931873
6. https://www.computerweekly.com/news/252480661/Tupperware-fixes-hacked-site-but-questions-remain-over-response
7. https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/