Cyber Security News

Hackers Inject Shell Scripts into eCommerce Sites to Steal Credit Card Data

A recently discovered credit card theft operation, Magecart, has adopted an innovative approach by utilizing authentic websites as makeshift C2 servers

This strategy enables them to illicitly implant and conceal skimming malware within specific eCommerce websites.

During the checkout process, hackers execute a Magecart attack by breaching online stores and implanting malicious scripts designed to stealthily harvest the customers’ credit card details and personal information.

Large-scale & Long-term Attack

As per the diligent monitoring conducted by Akamai’s researchers on this particular campaign, numerous organizations in the subsequent countries have fallen victim to compromise:-

  • The United States
  • The United Kingdom
  • Australia
  • Brazil
  • Peru
  • Estonia

In addition, the cybersecurity firm highlights a noteworthy observation that many victims remained clueless to the fact that they had been compromised for more than a month, showing the covert nature of these attacks.

Web skimming attacks pose significant threats to organizations operating in the digital commerce realm, carrying the potential for substantial harm and adverse consequences.

The cybersecurity analysts at Akamai identified that threat actors had exploited several major platforms, and among them, we have mentioned the major ones:-

  • Magento
  • WooCommerce
  • WordPress
  • Shopify

Attack Infrastructure

A striking aspect of this campaign lies in the meticulous arrangement of the attackers’ infrastructure, specifically devised to orchestrate the web skimming campaign with remarkable efficacy.

In a strategic departure from conventional methods, instead of relying on their own command-and-control (C2) server, which could potentially raise suspicion as a malicious domain, the attackers adopt a different approach. 

By exploiting vulnerabilities or employing any available means, they infiltrate susceptible and legitimate websites, particularly small or medium-sized retail platforms, where they covertly embed their malicious code.

At its core, this campaign generates a dual impact, resulting in two distinct sets of victims, and here they are:-

  • Host victims
  • Web skimming victims

During their investigation, Akamai researchers identified a limited selection of websites functioning as the primary targets, all of which exclusively pertained to commerce-oriented platforms.

Exploited host websites are used as hosts for malicious code and subjected to a Magecart-style web skimming attack, leading to the theft of user information.

The attack’s stealthiness is enhanced by threat actors obfuscating the skimmer with Base64 encoding, concealing the host’s URL, and structuring it to resemble trusted third-party services like Google Tag Manager or Facebook Pixel, minimizing suspicion.

Through this approach, the attacker implements three distinct techniques aimed at evading detection and remaining undetected, and here they are mentioned below:-

The domain employed in the attack is obfuscated, rendering it challenging to trace and identify.

The loader is disguised as an authentic third-party script or vendor, hiding its true malicious intent.

By sourcing a substantial portion of the code from alternative origins, the attacker minimizes the volume of injected malicious code on the page, significantly diminishing the likelihood of detection.

Data Theft Analysis

The attacker uses obfuscation to impede debugging and research, deliberately making it difficult to understand the attack’s exact sequence, a practice widely adopted in various web skimming attacks that, in recent years, has become increasingly popular.

The first version is a highly obfuscated form that includes a customized list of CSS selectors specifically designed for each targeted site to capture customer PII and credit card information.

The second variant of the skimmer possessed lesser protection, inadvertently revealing key indicators within its code. 

These crucial clues allowed Akamai to effectively map the extent of the campaign’s impact and discover further victims.

Following the successful extraction of customers’ details, the skimmers transmit the stolen data to the server under the control of the threat actor. 

While this transmission is facilitated through an HTTP request meticulously crafted as an IMG tag nested within the skimmer.

Base64 encoding is used to obfuscate data during transmission, while website owners can prevent Magecart infections by securing admin accounts and updating CMS and plugins, and customers can reduce data exposure risk by utilizing the following methods:-

  • Electronic payment methods
  • Virtual cards
  • Setting credit card charge limits


Here Below we have mentioned all the recommendations:-

  • It is recommended that security professionals stay updated with the latest patches and enhance their security measures by incorporating a Web Application Firewall (WAF).
  • Ensure the implementation of specialized security solutions that offer insights into the activities of scripts executed in web browsers and provide robust protection against client-side attacks.
  • Ensure the thorough collection and vigilant monitoring of critical events and insightful data to enable prompt and efficient mitigation measures.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago