Magecart Strikes Again: Obfuscated JavaScript Skimmers Steal Credit Card Data from E-Commerce Sites

A newly uncovered Magecart campaign is compromising online shopping platforms using stealthy JavaScript to silently harvest customers' credit card data. This multi-phase attack uses advanced obfuscation, real-time data exfiltration, and persistent backdoor access to remain undetected and devastatingly effective.

  • Admin Credential Theft as the Entry Point:
    Attackers gain initial access by using stolen administrator credentials—often harvested via infostealer malware—bypassing standard defenses.
  • Persistent Access via Customized Web Shell:
    Once inside, attackers deploy a modified version of the open-source P.A.S. Fork v1.4 PHP web shell to maintain long-term control over the compromised server.
  • Multi-Stage Attack Chain:
    The intrusion follows a four-phase pattern: backend access, web shell installation, code injection into the database, and real-time credit card data exfiltration.

  • Highly Obfuscated JavaScript Skimmer:
    The malicious script is deeply obfuscated with hexadecimal encoding, dynamic function redefinition (notably the “chameleon” function), and IIFE constructs to hinder detection and analysis.
  • Real-Time Data Theft via WebSockets:
    Payment data—including full card details and personal info—is exfiltrated using live WebSocket connections to attacker-controlled servers.

  • Fallback Exfiltration via Image Requests:
    If WebSocket traffic is blocked, an invisible image-based channel ensures encoded card data still reaches the attackers.
  • Severe Consequences for Merchants:
    Beyond financial loss, affected businesses face reputational damage, loss of customer trust, and potential legal consequences from data privacy violations.

This latest Magecart attack highlights the critical importance of securing administrative credentials, monitoring for unusual server-side scripts, and regularly auditing website code and network traffic. For e-commerce platforms, even a momentary lapse in security can lead to massive breaches. Net Protector Cyber Security urges all online merchants to implement layered defenses, conduct real-time threat monitoring, and secure their infrastructure against stealthy threats like Magecart.