MageCart

Magecart is a collective umbrella term for financially motivated cybercriminal groups specialized in web skimming and payment-card theft from e-commerce sites. The activity is repeatedly described as targeting online retailers and checkout flows, especially Magento/Adobe Commerce, WooCommerce/WordPress, and related payment integrations such as Stripe, PayPal, Mollie, PagSeguro, OnePay, and Authorize.net. Reported victimology includes large retailers and service providers such as Ticketmaster and Newegg, as well as broad campaigns affecting hundreds of e-commerce sites globally, including Finnish online stores. Across the provided reporting, Magecart operations use malicious JavaScript injected into checkout pages to steal cardholder data, CVV, billing details, customer names, email addresses, phone numbers, and in some newer campaigns full identities, credentials, and account data. Commonly reported tactics include disguising skimmers as Google Tag Manager or analytics code; abusing trusted infrastructure such as Google Tag Manager, Stripe API, Google Firestore, Amazon S3, and Heroku; compromising third-party suppliers and shared script providers; modifying WooCommerce payment gateway plugin files; abusing vulnerable WooCommerce plugins such as Funnel Builder by FunnelKit to inject arbitrary JavaScript; using rogue plugins; hiding payloads in fake PNG or JPG files; storing malicious code in database rows; and using hidden SVG onload payloads to evade detection. Observed techniques in the content include fake payment overlays and phishing iframes, silent skimming, staged loaders, obfuscation, dynamic code retrieval and execution, WebSocket-based delivery or exfiltration, image-beacon exfiltration, local storage use for state and anti-duplication, self-removal when administrator indicators are present, and anti-forensics measures such as junk card generation and blending exfiltration into legitimate-looking traffic. Exfiltration and hosting have been reported through attacker-controlled lookalike domains as well as trusted services including Stripe customer metadata and records, Google Firestore, Amazon S3 buckets, and Heroku apps. The content also identifies sub-clusters or associated operators within Magecart activity, including ATMZOW, linked to long-running malicious Google Tag Manager container campaigns, and SMILODON, a skimmer reported targeting WooCommerce via a rogue plugin with payload hidden in a fake PNG image. Magecart is consistently characterized in the provided material as a cybercriminal, not nation-state, threat.