Akamai Diversity

Akamai Security Intelligence
& Threat Research

An Introduction to Magecart

Written by Steve Ragan

Since at least September, a number of criminals have been targeting online shopping carts and skimming credit card data at checkout. Collectively, these criminals are being called Magecart. Researchers at RiskIQ and Flashpoint Intelligence have identified six groups associated with these skimming attacks.

Like it or not, the holiday shopping season is here. Over the next few weeks, many of you will be searching out deals online and turning to the website of your choice to purchase gifts for friends and loved ones - maybe even a little something for yourself.

If you've been reading the news lately, you might have heard about data breaches at major retailers online such as Ticketmaster and Newegg.  In the travel industry, the breach at British Airways in September impacted more than 300,000 people. These attacks are all related to Magecart.

In each case, criminals skimmed payment card details during the checkout process, targeting vulnerabilities in the retailer's shopping cart application.

The exact nature of the vulnerabilities being exploited isn't known. However, since each Magecart victim is web-based, and most of the skimmers used by Magecart rely on JavaScript, several experts have speculated that the initial entry point could be direct injection, a full compromise of the victim's system by targeting vulnerabilities in store software, or a mix of Cross-Site Scripting (XSS) and deceptive domains.

Researcher Willem de Groot, who has been tracking Magecart activities and related incidents since about 2015, noted that many of the online retailers affected by Magecart are struggling to cope, as one in five victims are reinfected.


How the groups known collectively as Magecart go about conducting their attacks varies from one group to another.

Two of them use automated tools and cast a wide net for targeting victims. Meanwhile another gang simply aims for quantity over quality, compromising as many websites as possible. One of the groups is picky when it comes to selecting targets, opting to go after only high value websites, such as Newegg and British Airways. The other three groups have their own unique methods and operational style, but are effective nevertheless.

As mentioned, many of the Magecart victims are struggling to contain the attacks. In the third quarter of 2018 many Magecart victims were reinfected (more than a dozen times in some cases) soon after they'd detected and cleaned-up the initial infection.

Part of the problem stems from the fact that Magecart attackers are getting better at maintaining access to their victims via shells or rogue administrator accounts. On top of this, the groups behind Magecart are quick to leverage zero-day vulnerabilities and database triggers to re-inject their payloads and continue skimming.

Millions of Compromised Records

Over the last decade, shopping online went from being a bit of a fad, to a natural part of daily life, and as it evolved, so did the methods associated with fraud and crime. According to the Identity Theft Resource Center (ITRC), as of November 2, 2018, there have been more than one thousand data breaches reported to the public, culminating in more than 57 million records being exposed.

Of those data breaches, 46% can be sourced to the retail services, hospitality, trade, utilities, transportation, and payment processing sectors. In fact, these sectors represent 53% of all the records compromised before the cutoff date. Naturally, many of those data breaches were centered on credit cards and personal information.

It's Business as Usual

Attacks against online retailers, especially attacks that target card data and personal information, have been happening since the early 2000's, but in the last few years have stepped up in sophistication and scale.

No matter how advanced or simple the attack, the goal remains the same; compromise card data and immediately sell it to other criminals so that the cards can be cashed out before anyone notices the data breach.

There are multiple ways to cash out a stolen credit card, but one common method involves purchasing items online and selling them at a steep discount. Any money made is pure profit for the criminal. There have also been cases where criminals will purchase goods online with stolen cards and ship them to cutouts, usually people thinking they have a legitimate work-from-home job reshipping goods.

The price for stolen card data will depend on how fresh the information is, the type of data included in the transaction, as well as volume.  Those who purchase multiple stolen cards are often given a price break, but on average stolen cards can sell from $5 to $30.

If the transaction only includes the card number and CVV, the cost would be lower than a transaction that includes a victim's entire identity along with card data, such as name, birthdate, Social Security Number.

Unfortunately, if a retailer you're visiting online has been compromised by Magecart, there is little you, the consumer, can do about it. Some endpoint defenses (security software and ad blocking) detect problematic URLs and JavaScript, but not all of them.

However, if your card data is compromised, you do have options. Your liability is $0 against fraudulent purchases, all you have to do is report them immediately. In many cases you don't have to wait for a monthly statement, as your bank or credit card company will offer transaction alerts, via email or text message, which tell you the moment a charge has been made. For additional information, visit the FTC's website.

Our next blog in this Magecart series will help online merchants better prepare for Magecart attacks and limit exposure and risk.