MageCart

Magecart is a web-skimming/e-skimming malware family and umbrella term for client-side payment-card theft from e-commerce sites. It is also referred to in the content as digital skimming, web skimming, e-skimming, and formjacking. The malware is typically delivered by injecting malicious JavaScript into legitimate online stores or third-party dependencies after attackers gain access through vulnerabilities, misconfigurations, phishing, stolen credentials, compromised plugins/extensions, writable cloud storage, or supply-chain compromises. It commonly targets checkout flows on Magento/Adobe Commerce, WooCommerce/WordPress, Salesforce Commerce Cloud, and other e-commerce environments.

Its core behavior is to monitor checkout pages, intercept payment form interaction, and steal cardholder data in real time before or during submission to the legitimate processor. Reported data theft includes payment card number, expiration date, CVV/CVC, cardholder name, billing address, shipping address, email address, phone number, and other form data. Multiple campaigns described in the content use fake payment overlays or spoofed Stripe/Redsys/PayPlug forms, hide or replace legitimate payment forms, hook checkout buttons or form events, and then restore the legitimate flow so the purchase may still proceed or fail with a deceptive payment error. Some variants also harvested credentials and all typed form input, and one campaign pushed Android APK downloads to mobile users.

Observed evasion and tradecraft include heavy JavaScript obfuscation, delayed or staged loaders, use of trusted infrastructure such as Google Tag Manager, Stripe API, Google Firestore, and analytics-like domains, fake Google Analytics/Tag Manager code, inline SVG payloads with atob() and setTimeout execution, MutationObserver-based triggering, self-removal when the WordPress admin bar is present, localStorage markers to avoid repeat skimming, WebSocket-based exfiltration, image-beacon exfiltration, hidden iframe fallback exfiltration, and exfiltration paths disguised as analytics traffic such as /fb_metrics.php. Reported data protection/exfiltration methods include XOR obfuscation or encryption, including variants using XOR with keys such as "script" or 777, Base64 encoding, local storage staging, storage in .jpg files, fake Stripe customer records, HTTP POST, WebSocket channels, and attacker-controlled domains.

The content associates Magecart activity with organized cybercrime and multiple long-running campaigns rather than a single actor. Named reporting and research sources in the content include Sansec, Silent Push, RiskIQ, Volexity, ANY.RUN, Sucuri, Malwarebytes, Recorded Future, and Bleeping Computer. The malware has been linked in the content to compromises affecting or targeting Magento stores, WooCommerce stores, Claire’s, Ticketmaster, Newegg, and other online retailers, as well as campaigns abusing third-party suppliers such as Inbenta, SociaPlus, PushAssist, Clarity Connect, Annex Cloud, and ConnectPOS.

High-confidence indicators and infrastructure explicitly mentioned in the content include analytics-reports[.]com/wss/jquery-lib.js, wss://protect-wss[.]com/ws, cc-analytics.com, pstatics.com, js-csp.com/getInjector/, artrabol.com, js-stats.com, js-tag.com, redsysgate[.]com, jquerybootstrap[.]com, newassetspro[.]com, assetsbundle[.]com, claires-assets.com, webfotce[.]me/js/form.js, neweggstats.com, cdn-cookie[.]com, lasorie[.]com, statistics-for-you.com, morningflexpleasure.com, and IP address 23.137.249.67. Additional artifacts mentioned include suspicious SVG onload code with atob(), the localStorage key _mgx_cv, and use of wc_cart_hash as a skimming flag.