What Are Magecart Attacks On Magento Store And How To Prevent Them

Magecart attacks came out of the dark and made headlines when it targeted credit card info of giants like British Airways, Ticketmaster, Netwegg, etc. But, this does not mean Magecart attacks came into existence recently. In fact, Magecart attacks on Magento and other e-commerce websites can be traced back to 2014 when a group of hackers first started monetizing with stolen credit card details. Since then, masterminds of Magecart have been actively skimming the web.

Till date, Magecart has been identified to hack details from more than 110,000 different online shops, according to expert estimations. Also, the websites that bore the maximum brunt of Magecart attacks are e-commerce sites. Moreover, Magento is the ruler of the e-commerce space with the largest market share, and consequently specifically been the hot target for Magecart attacks.

Related article: How to Remove Magento & OpenCart Credit Card Malware Hack?

With this article, we will try to decipher the Magecart attacks on Magento and other e-commerce websites.

What are Magecart Attacks on Magento?

Magecart is a name given to a nexus of cyber criminals operating in groups, who engage in illegal web skimming activities and steals credit card info and other payment details of customers online. As identified by RiskIQ in their detailed and meticulous report “Inside Magecart”, there are around 6 to 7 groups that come under the umbrella ‘Magecart’. All of these groups skim the web in one way or another to fetch credit card info online, which in turn they sell in the black market.

Further, the Magecart sprouted from a single group back in 2015. It began by compromising vendor websites and collected and sold credit card details by injecting skimmers, following which many other groups and individual skimmers emerged. All these groups were skimmers but differed in the infrastructure, targets, and their process. The evolution of skimmers and the multiplication of groups continue to this day.

Some of these groups target as many vendors as possible. Some carefully conceal their skimmer. Some use known vulnerabilities in websites to hit the target. Some hunt and compromise plugins to plant skimmers. Some target third parties to gain access to small, medium or big e-commerce online. Some limit their victims to a few high-value organizations and use specially tailored skimmers, domains, and attacks against them. Whatever be their process, the Magecart is a growing threat.

Magento credit card hack, Stealing credit card from Magento store

The Complete Nexus: Magecart Attacks

According to “Inside Magecart” report, there are little to no consequences for these criminals behind the screen. Quite contrary to consequences, these criminals make fortunes by selling this info. This can be estimated from the fact that the prices for these skimmers varies from $250 to $5,000, depending on the versatility of the skimmer.

Web skimming is only one part of the complete criminal process that goes inside Magecart. After they fish the valuable credit card data they go ahead to monetize it. It may sound incredible, but there is a vast black market trading and thriving on credit card info. Presumably, these parties use the info to make illicit purchases. This is not all, there is a darker side to this whole Magecart attacks. Apart from making purchases with the stolen information, these data may also be used by criminal groups to ship goods to countries overseas.

The complete list of groups under Magecart

Magecart Group 1 & 2

Casts a wide net for targeting, likely using automated tools to breach and skim sites.

Magecart Group 3

Targets a high volume of vulnerable websites at one go.

Magecart Group 4

Extremely advanced, this group blends in with its victims’ sites to hide in plain sight and employs methods to avoid detection.

Magecart Group 5

This group hunts for known vulnerabilities in third-party vendors and targets the vendor’s user base. This type was implicated in the breach of Ticketmaster.

Magecart Group 6

This group is highly selective in its targets. Goes only for top-tier companies, such as British Airways and Newegg to maximise data collection due to high-volume traffic in these websites.

Modus Operandi of the Magecart Groups

Till now, we have understood what Magecart is and how widespread its links are. Let us then quickly forward to the modus operandi of Magecart attackers

Step 1: Magecart attacks on Magento

There are multiple steps that go behind in this giant web skimming process. The first of which is to gain access to a vulnerable store’s backend.

Step 2: Modify the site’s source code

Then the attackers would go on to modify the site’s source code and inject malicious JavaScript codes which would keep an eye on the payment forms & checkout pages. These skimmers record every entry on the payment page, be it personally identifiable information, credit card info or bank details.

Further, researchers also observed that some groups targeted only the third-party vendors on these online stores such as plugin vulnerabilities to plant the JavaScripts. At Astra, we have seen scores of plugin exploits on Magento that lead to sensitive data leaks.

Here is an example of the JavaScript used to skim the web:

Magecart attacks on Magento
A depiction of web skimming JavaScript

Step 3: Selling these records

Next, they would sell these records in the black market in return of a hefty amount. The sold data is used to make unauthenticated online transactions, transfer money, buy and ship goods to foreign countries.

Measures to Secure Your Magento Store from Magecart Attacks

Magento regularly releases security patches for webmasters to install. These patches are nothing but fixed and mended vulnerabilities of the previous versions. As a security company, we see a lot of cases of websites being hacked due to outdated versions with known vulnerabilities. Thus, installing these patches is the easiest and best prevention method you can have for your website.

Update Plugins & Themes

In addition to the patches, Magecart hackers also hunt for bugs in third-party sources. First, make sure you only install plugins from trusted sources. Further, keep up with the latest versions of plugins and themes. Being prompt with the updates can eliminate the risk of being hacked.

Set Strict File Permissions

Besides the above two, always set strict file permissions for your website. You can also take help from this article on our blog to set file permissions on Magento.

Use Two-Factor Authentication

Always, and I repeat always use two-factor authentication for checkouts in your website. Two-factor authentication requires an added verification to confirm the authenticity of the credit card owner. This discourages any payment request made from your card even if it’s stolen.


As a customer, being super vigilant while making any transaction online will, for sure, be in your privacy’s favor. Further, as an e-commerce website on Magento, you should indulge in security best practices. Like stronger permissions settings, having two-factor authentication, being up to date with the current versions in all spheres of a website.

Related Guide – Complete Step by Step Guide to Magento Security (Reduce the risk of getting hacked by 90%)

In addition to the above, use a firewall to secure your website. Investing in a firewall such as Astra’s will not only leverage a security layer on your website but also keep on optimizing its security by learning from each stopped attack. Astra Security Suite lets you focus on your business while it takes care of your website security fully and thoroughly.

Click here to get an Astra demo now!

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

Aakanchha is a tech & cybersecurity enthusiast. She is an active reader and writer of the cybersecurity genre.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner