The Rise…and Rise of Magecart

March 5, 2019 - Ensighten

With formjacking incidents on the rise, is your website leaving your customers vulnerable to data theft?

2018 saw a sharp rise in incidents of web skimming and formjacking, a method used by cybercriminals to steal visitors’ credit card details and other personal information from the payment forms on the checkout pages of e-commerce websites.

Put simply, hackers inject malicious JavaScript code into e-commerce websites, often via a third-party vendor on the site, which in turn can harvest any personal or financial information supplied by visitors during the transaction process.

Research released by ZScaler’s Cloud Security Insights report, notes that “With the increase in JavaScript skimmer-based attacks, criminals can conduct their nefarious activity within the confines of the SSL environment, leaving most e-commerce sites unaware of the activity.”

Another study also published by Symantec; 2019 Internet Security Threat Report, shows that 4,818 unique websites were compromised via formjacking code every month in 2018. The appeal of formjacking for criminals is linked to the value of customers’ credit card information – data from a single credit card can be worth up to $45 (£34) on underground markets. Just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million (£1.66 million) for cybercriminals each month.


Most wanted: What is Magecart?

At the forefront of these campaigns is a consortium of hackers called Magecart. In 2018 the group executed formjacking-based attacks on several high-profile victims including Ticketmaster, as well as retailers Newegg, Kitronik and VisionDirect.

RiskIQ, which has led the research into Magecart’s activities, says the group is placing digital credit card skimmers on compromised e-commerce sites “at an unprecedented rate and with frightening success.”

Indeed, in its 2018 Holiday Shopping Snapshot RiskIQ says it detected 6,929 unique Magecart incidents between Black Friday and New Year’s Day.


Why is formjacking so dangerous?

In a typical data breach, criminals break into company servers and access databases to steal confidential corporate and employee information that can include passwords, email addresses, phone numbers, and maybe even financial information and intellectual property. This is done by exploiting flaws in website security measures.

But, under the Payment Card Industry’s Data Security Standard (PCI DSS), merchants are prevented from storing full payment card information, such as personal CVV security code. What makes Magecart’s attacks so dangerous is that it doesn’t matter that a company hasn’t stored your credit card details. Its malicious script lurks on the client-facing side of a company’s website, waiting to skim off any personal information, like a CVV code, that’s entered by customers when they check out. This is also known as a data leak, as the hackers are stealing the information as it is inserted, rather than from the business’s servers.


Supply chain attacks

RiskIQ notes that the ‘The Global Attack Surface’ is growing every day. For example, modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers – all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions.

However, this commonality of approach is attractive to criminals as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites, creating a threat to multiple website security measures.

In numerous cases, Magecart has targeted third-party website vendors used in the supply chain in order to inject its code onto websites. In the case of Ticketmaster, Magecart compromised a third-party chatbot, which loaded malicious code into the web browsers of visitors to Ticketmaster’s website, with the aim of harvesting customers’ payment data.

In addition, third-party vendors supply code integrates with thousands of websites, so when it’s compromised, the websites of all of the customers that use it are compromised, giving Magecart access to a wide range of victims at once.


Secure your website

This growing attack surface means that while cybersecurity solutions are often deployed on an organization’s networks or servers, its website is highly susceptible to attack. As a unique point of vulnerability for customers inputting credit card data at the source, it shouldn’t be overlooked.

Formjacking, or web skimming is on the rise, therefore it is crucial that you ensure your website is secure. As well as observing and monitoring site traffic and testing any new updates to detect any suspicious behaviour, a key part of website security and mitigating any threat from third-party vendors by creating an allowlist and a blocklist that ensure you only share data with trusted vendors.

Don’t risk becoming the Magecart’s next victim. Speak to Ensighten about how our marketing security solution will enable you to manage all your third-party vendor technologies and prevent unauthorized data collection.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Magecart blog

Learn more about the most talked about cyberattack group and how you can protect against Magecart attacks

Read Now

Online skimming webinar

Learn more about malicious JavaScript injection and how you can protect against client-side data exfiltration and theft

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect against Magecart attacks

Book Now