Magecart Skimming Campaign Targets Global Payment Networks, Stays Hidden Since 2022

Listen to this Post

Featured Image

A Silent Threat Embedded in Everyday Online Shopping

A long-running digital skimming operation has been quietly harvesting payment card data from online shoppers around the world, remaining undetected for nearly two years. Security researchers now warn that the campaign targets the core infrastructure of global e-commerce by abusing trusted payment workflows and exploiting the browser itself as an attack surface. The scale of the operation, combined with its stealth, places millions of cardholders and merchants at risk.

A Campaign Hidden in Plain Sight

Security firm Silent Push revealed that it uncovered a sophisticated web-skimming campaign that has likely been active since 2022. Unlike short-lived or noisy cybercrime operations, this campaign focused on longevity and invisibility. By embedding malicious scripts directly into checkout processes, attackers were able to operate beneath the radar of merchants, customers, and many security tools.

Major Payment Networks in the Crosshairs

The skimming scripts were designed to specifically target at least six major global payment providers: American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. These networks collectively handle the majority of credit card transactions worldwide. As a result, most locally issued credit and debit cards are potentially exposed whenever they are used on a compromised site.

Magecart: A Familiar Name With Evolving Tactics

This activity falls under the broad category known as “Magecart” attacks. Magecart is not a single group, but a term used to describe web-based skimming operations that inject malicious JavaScript into legitimate e-commerce websites. These scripts silently intercept sensitive customer data at checkout, often without leaving visible traces on the server side.

How Client-Side Attacks Evade Detection

One of the most dangerous aspects of Magecart-style attacks is that they operate entirely on the client side. The malicious code runs in the victim’s browser, not on the merchant’s servers. This means traditional server-side security monitoring often sees nothing unusual, while customers unknowingly hand over their most sensitive information.

What Data the Attackers Steal

When a customer reaches the checkout page of an infected site, the skimmer activates. It captures payment card numbers, expiration dates, CVV codes, customer names, billing addresses, and shipping information. This complete dataset can be used directly for fraud or sold on underground marketplaces, fueling identity theft and financial crime.

The Discovery That Uncovered the Operation

Silent Push identified the campaign while investigating a suspicious domain linked to a bulletproof hosting provider associated with PQ.Hosting, also known as Stark Industries or THE.Hosting/WorkTitans B.V. This hosting infrastructure has previously been linked to cybercriminal activity and is known for resisting takedown requests.

Obfuscated Scripts Designed to Avoid Analysis

Further investigation revealed that the suspicious domain hosted multiple URLs delivering heavily obfuscated JavaScript files, including one named recorder.js served from a domain masquerading as a content delivery network. The obfuscation made the scripts difficult to analyze and allowed them to bypass basic signature-based detection systems.

Evidence of a Long-Term Operation

According to Silent Push, analysis of the scripts and their associated domains revealed infections dating back to approximately 2022. This confirms the campaign was not opportunistic, but rather a carefully maintained operation designed for persistence and scale.

The Classic Magecart Infection Flow

The attack follows a well-established Magecart pattern that has proven effective over the years. First, attackers compromise an e-commerce website or payment portal. They then inject malicious JavaScript into the checkout process, often through compromised plugins, outdated CMS components, or stolen administrator credentials.

Activation at the Moment of Payment

The malicious code remains dormant until the exact moment a customer initiates a payment. Once activated, it verifies that the checkout page has fully loaded, ensuring the skimmer blends seamlessly into the legitimate payment flow without breaking page functionality.

Fake Forms With Real Branding

The skimming script creates a malicious iframe that displays a fake payment form. This form is carefully styled to match the legitimate payment provider’s branding, fonts, and layout. To the victim, it looks identical to the real checkout page they intended to use.

Data Exfiltration Without Suspicion

When the victim enters their payment details into the fake form, the data is immediately forwarded to the attacker’s infrastructure. Once the theft is complete, the fake form disappears, and the original legitimate payment form is restored behind the scenes.

Why Victims Rarely Notice

After submitting the fake form, victims typically see a payment error message. This creates the illusion that they simply mistyped their card details. Most shoppers then re-enter their information, unaware that their data has already been stolen. The second attempt is processed normally through the legitimate payment form.

A Perfect Crime From the User’s Perspective

From the shopper’s point of view, nothing seems wrong. The purchase eventually succeeds, the product arrives, and no immediate red flags appear. By the time fraudulent transactions surface, it is nearly impossible to trace the theft back to a specific shopping session.

The Challenge for Merchants

Because the attack does not always modify server-side files or logs, merchants may remain infected for months or years. Even security scans can miss the threat if the skimmer is designed to disable itself when administrative cookies or known security tools are detected.

Defensive Measures for Vendors

Silent Push recommends that merchants implement strict Content Security Policies (CSP) to limit which external scripts can load on checkout pages. This significantly reduces the risk of unauthorized JavaScript injection.

Payment Security Compliance Still Matters

Adhering to PCI DSS requirements remains critical. While compliance alone cannot stop all Magecart attacks, it raises the security baseline and limits common misconfigurations that attackers exploit.

Patch Management as a First Line of Defense

Regularly updating content management systems, plugins, and third-party components is essential. Many Magecart infections originate from outdated software with known vulnerabilities.

Strong Access Controls Reduce Risk

Administrative accounts should use strong, unique passwords combined with multi-factor authentication. Stolen admin credentials remain one of the most effective entry points for attackers targeting e-commerce platforms.

Testing Like a Normal User

Merchants are also advised to test their own websites in incognito or private browsing modes. Some skimmers deliberately avoid executing when they detect administrator sessions, making standard testing ineffective.

End-User Awareness Still Counts

Consumers can reduce their risk by shopping only on reputable platforms, using browser or endpoint security solutions, and paying attention to unusual checkout behavior. Regularly reviewing bank and card statements helps detect fraud early.

What Undercode Say:

A Warning Sign for Modern E-Commerce Security

This campaign highlights a fundamental weakness in how modern e-commerce security is approached. Too much trust is placed in server-side controls, while the browser remains an underprotected attack surface. As long as attackers can manipulate client-side JavaScript, Magecart-style threats will continue to thrive.

The Economics of Stealth

The most striking aspect of this campaign is not its technical novelty, but its restraint. By prioritizing stealth over speed, the attackers maximized profit while minimizing exposure. This long-term mindset suggests a mature operation rather than a loosely organized criminal group.

Why Payment Providers Are Indirect Victims

Although payment networks themselves were not compromised, their branding was abused to lend credibility to fake checkout forms. This indirect exploitation damages trust in the entire online payment ecosystem, even when providers follow strong security practices.

Obfuscation as a Force Multiplier

Heavy script obfuscation remains one of the most effective tools for evading detection. Many security teams underestimate how long malicious code can survive when it is intentionally engineered to resist analysis.

The Browser Is the New Battleground

Client-side attacks demonstrate that the browser has become a primary battlefield for cybercrime. Traditional endpoint security is often blind to malicious scripts that execute within trusted web contexts.

Compliance Does Not Equal Security

Many compromised sites likely met baseline compliance requirements. This reinforces the idea that compliance frameworks are necessary but insufficient without active monitoring and behavioral analysis.

Supply Chain Weaknesses Persist

Third-party plugins, analytics tools, and embedded scripts continue to introduce risk. Each external dependency expands the attack surface, especially when vendors fail to audit what executes on critical pages like checkout flows.

Detection Requires Behavioral Insight

Static scanning and signature-based tools struggle against Magecart campaigns. Effective detection increasingly depends on monitoring runtime behavior, script integrity, and unexpected DOM manipulations.

The Cost of Customer Trust

Even a single skimming incident can permanently damage a brand’s reputation. Customers rarely distinguish between merchant negligence and sophisticated cybercrime when their card details are stolen.

A Signal of What’s Coming

This campaign is likely not an outlier. It represents a broader shift toward long-term, low-noise client-side threats that target trust rather than infrastructure.

Fact Checker Results

Timeline Validation ✅

Evidence supports the claim that the campaign has been active since approximately 2022, based on domain and script analysis.

Attack Method Accuracy ✅

The described skimming technique aligns with known Magecart behaviors observed in previous large-scale incidents.

Risk Scope Assessment ❌

While major payment networks are targeted, actual risk still depends on whether individual merchant sites were compromised.

Prediction

More Client-Side Attacks Ahead 🔮

Magecart-style campaigns will increasingly favor stealth and longevity over rapid exploitation.

Browser Security Will Become Central 🔐

E-commerce security strategies will shift toward real-time client-side monitoring and script integrity enforcement.

Trust Will Be the Main Target 🎯

Future attacks will focus less on breaking systems and more on exploiting user trust in familiar payment experiences.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon