Protecting Your Website Against the Magecart Threat This 2019 Holiday Season

October 31, 2019 - Ensighten

With the holiday season approaching, ecommerce, travel and hospitality websites need to be prepared to defend against Magecart cyberattacks. Here we look at the threat to your business and how you can defend your brand from attack.


As with their bricks and mortar counterparts, Black Friday is traditionally the busiest retail day of the year for online retailers and unofficially kicks off the holiday shopping season.

In 2018, Black Friday pulled in $6.22 billion in online sales, up 23.6 percent from the previous year and setting a new high. The Friday after Thanksgiving was also the first day in history to see more than $2 billion in sales stemming from smartphones – 33.5 percent of ecommerce sales came from mobile devices, compared with 29.1 percent in 2017.

  • Shoppers bought more big-ticket items like appliances, furniture and bulkier electronics from their phones last Black Friday, with average order values up 8.5 percent year-over-year
  • Sales online for Thanksgiving Day 2018 totaled $3.7 billion, up 28 percent on 2017, making it the fastest-growing day for ecommerce sales in history.
  • The same day also saw $1 billion in sales from smartphones, with shoppers spending eight percent more online than the previous year

This 2019 holiday season looks set to continue this trend as it gears up to be the busiest on record for online retailers. The National Retail Federation (NRF) predicts that online and other non-store sales will reach between $162.6 billion and $166.9 billion in the US alone – up from $146.5 billion last year, an increase of 11-14 percent.


‘Tis the season for cybercrime

The downside to these incredible sales figures is that online retailers are at their most vulnerable during this busy period, with cybercriminals ready to exploit any vulnerabilities they find on under-pressure websites.

Leading security expert Brian Krebs recently described attacks on online retailers as being “off the charts”, with criminals increasingly moving from stealing physical credit card data to targeting online stores. The threat increases exponentially during the holiday shopping period. 2017 saw global organizations encounter a 57.5 percent increase in attempted attacks during the holiday shopping season – with the greatest number of attempts happening in the days following Christmas, according to Carbon Black’s 2018 Holiday Threat Report.

“During the holiday season, there is often a ton of noise in the online world and attackers do everything they can to take advantage of that,” notes the report.


Magecart detection

One of the biggest perpetrators of holiday season cyberattacks is Magecart – a syndicate of cybercriminals that target ecommerce websites to steal customers’ credit card information. The threat from Magecart is now so great that the FBI have issued a warning to the US private sector regarding the attacks.

Magecart operatives inject malicious JavaScript which steals the data from online payment forms, typically on checkout pages – a process known as formjacking. Magecart code has been inserted on millions of sites and compromised the payment information of millions of users. They gain access to websites either directly or via supply chain attacks that target the third parties that supply functionality to the sites. It is these supply chain attacks which are responsible for the largest spikes in Magecart detections.

In 2018, 6,929 unique Magecart incidents between Black Friday and New Year’s Day were detected — more than 177 incidents every day. Moreover, one in five retailers get re-infected with Magecart in a matter of days.

This year researchers uncovered more than 80 global ecommerce websites compromised by Magecart groups in just 2.5 hours of searching. A quarter of the websites discovered were “large, reputable brands in the motorsports industry and luxury apparel” spread out across the US, Canada, Europe, Latin America and Asia.

Research shows the most significant factor in Magecart’s rise is that site owners lack visibility into the code running on their site and found that the average breach lasts over two weeks, with many lasting much longer than that.

  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups
  • Magecart infrastructure is vast, with 573 known C2 domains and 9,189 hosts observed loading C2 domains
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites


Magecart prevention

Magecart attacks can be difficult to detect as its malicious script resides on the client-facing side of the website, waiting to skim off any personal information when a customer is at the checkout. Once a website is infected, the payment card information is harvested without the merchant or consumer being aware that the information has been compromised.

Businesses therefore clearly need a continued focus on visibility into this expanded attack surface, as well as increased scrutiny of the third-party services used in their web applications. However, current investments in maintaining website security are falling short.

Ensighten research shows that 83 percent of US companies suspect they are at risk of a data breach, but two-thirds of them have not yet put proper protective measures in place. Respondents also claim a high level of awareness of client-side website security vulnerabilities and yet, they admit their organizations are not taking proactive measures and are effectively under-invested in protection. However, as we’ve seen in the wake of the Magecart attacks, it is essential to have full visibility of your third-party technologies.

The Ensighten MarSec™ solution can help keep your website secure this holiday shopping season:

  • Real-time website monitoring: Monitoring of all network requests coming into the website or out of the website to detect potential malicious threats
  • Automated website privacy audit and alerts: Detect risks to your organizations data privacy rules – website scanning will check for unapproved technologies that may have access to your customer data
  • Masking of sensitive data: Determine unique data patterns to prevent sensitive data being exposed within the URL and passed to unauthorized third-party technologies
  • Allow and block third-party technologies: Define permissions for approved third-party vendors you choose to allow to access data or block from receiving specific types of data
  • Privacy gateways: Block unknown and unwanted website trackers, technologies and tags from firing on site and collecting sensitive customer data
  • Blocking of unauthorized network calls: Block Magecart style attacks, CSS hacks, man in browser attacks to protect end-users and stop data leakage


Speak to Ensighten today about how you can enable Magecart detection and prevention to avoid data leakage this holiday season.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Magecart blog

Learn more about the most talked about cyberattack group and how you can protect against Magecart attacks

Read Now

Online skimming webinar

Learn more about malicious JavaScript injection and how you can protect against client-side data exfiltration and theft

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect against Magecart attacks

Book Now