What is Magecart?

Magecart is a collective term for multiple distinct cybercriminal syndicates that specialize in stealing payment card data from e-commerce environments. The name originated from early attacks targeting Magento storefronts but has since expanded to describe a broader category of threat actors operating across virtually every major e-commerce platform. Magecart groups share a common method: they inject malicious JavaScript into online checkout flows to capture payment details at the moment of entry, a technique broadly called digital skimming or e-skimming. The result is that compromised stores transmit customer card data to attacker-controlled servers in real time, entirely invisibly to the buyer. Formjacking, a closely related term, describes the specific act of intercepting data as it leaves a browser form field.

How a Magecart Attack Works: The Execution Lifecycle

A Magecart campaign follows a structured sequence. Understanding each phase explains why these attacks are so difficult to detect through conventional security tooling.

Phase 1 – Initial Access:

The attacker identifies a target e-commerce site through automated scanning for known software vulnerabilities, exposed administrative panels, or credential reuse on platform accounts.

Phase 2 – Script Injection:

Malicious JavaScript is embedded into the target’s checkout page. This can be inserted directly into the site’s source code or introduced through a third-party resource the site loads, such as an analytics library, a support chat widget, or an advertising tag.

Phase 3 – Silent Monitoring:

The injected script listens for browser events on checkout form fields. When a customer begins entering card details, name, billing address, or CVV values, the script captures each keystroke or intercepts the form submission data.

Phase 4 – Exfiltration:

The captured data is transmitted to a remote collection server controlled by the Magecart group, typically encoded or encrypted to blend with normal outbound traffic. This transmission happens alongside the legitimate checkout request, so the purchase completes normally and neither the merchant nor the customer detects any anomaly.

Supply chain attacks are a particularly effective delivery path. By compromising a single widely-used third-party script provider, a Magecart group can effectively reach thousands of merchant sites simultaneously through a single injection point.

Primary Attack Vectors: Supply Chain vs. Direct Infiltration

Magecart groups use two structurally different methods to reach their targets, each requiring a different defensive posture from merchants.

Direct Compromise

In a direct compromise, the attacker gains access to the target merchant’s own infrastructure. Common entry points include unpatched vulnerabilities in Magento and Adobe Commerce extensions, brute-forced or credential-stuffed administrative accounts, and insecure server configurations. Once inside, the attacker modifies the site’s checkout template files to embed malicious JavaScript directly. Detection is harder in this scenario because the skimmer code exists within the merchant’s own codebase rather than in an external resource.

Third-Party Supply Chain Attacks

Supply chain attacks targeting shared third-party services are the more scalable approach. An attacker compromises a JavaScript library hosted externally and consumed by a large number of merchant sites simultaneously. Because merchants load these scripts with implicit trust, no direct breach of the merchant’s environment is required. Notable supply chain attack campaigns have used compromised analytics trackers, A/B testing platforms, and live chat widgets as the injection vehicle. Malicious JavaScript delivered through this path is particularly difficult to detect because the script file itself belongs to a trusted vendor and arrives from a familiar domain.

Real-World Examples of Magecart Impacts

Several high-profile incidents have illustrated the financial and reputational consequences that Magecart attacks carry for affected organizations.

British Airways (2018):

Attackers injected a skimmer into the airline’s booking and mobile platforms, compromising approximately 500,000 customers over a two-week window. The UK Information Commissioner’s Office initially proposed a fine of over £183 million under GDPR, citing inadequate security controls as a contributing factor.

Ticketmaster (2018):

A third-party customer support chat widget installed on the Ticketmaster platform was compromised by a Magecart group. Because the malicious JavaScript was loaded from an external provider, internal security monitoring did not flag the exfiltration. Hundreds of thousands of customer records were affected before the campaign was detected.

Newegg (2018):

A skimmer targeting Newegg’s checkout page operated for over a month before discovery. The attacker registered a domain closely resembling a legitimate payment processor to make exfiltration traffic appear routine to security tooling.

These cases share a common thread: digital skimming continued undetected for extended periods, regulators treated the failures as compliance violations, and the associated PCI-DSS penalties and GDPR fines compounded the direct operational costs.

Enterprise Magecart Detection Strategies

Effective Magecart detection requires controls operating at the client layer, the policy layer, and the integrity verification layer, because server-side scanning alone cannot observe what executes inside a visitor’s browser.

Client-Side Monitoring

Client-side monitoring tools execute inside the browser and audit the behavior of scripts in real time. They detect when new scripts appear on a page, when existing scripts are modified, or when scripts attempt to access form field data or initiate unexpected network requests. Because Magecart skimmers operate at the browser level, client-side visibility is the most direct detection path available to security operations teams.

Content Security Policy (CSP)

A robust Content Security Policy header instructs browsers to refuse connections to origins not explicitly listed by the merchant. A well-maintained CSP prevents malicious JavaScript from sending exfiltrated payment data to attacker-controlled servers, even if injection has already occurred. The challenge is maintaining an accurate CSP allowlist in environments with many third-party script dependencies; CSP deployment requires ongoing governance to avoid blocking legitimate scripts.

Subresource Integrity (SRI)

Subresource Integrity is a browser mechanism that validates third-party scripts against a cryptographic hash before executing them. If a compromised third-party provider modifies a script file, the hash check fails and the browser refuses to load it. SRI is the most direct technical control against supply chain-delivered Magecart injection, though it requires merchants to update hashes whenever a vendor legitimately updates its script.

Prevention and Compliance: Securing E-Commerce Checkout

A prevention posture for Magecart threats combines technical controls with governance processes and regulatory compliance obligations.

From a hygiene standpoint, merchants should maintain a complete inventory of all third-party scripts loading on checkout pages, conduct regular code reviews of checkout templates, and enforce strict change-management processes for any modifications to payment-adjacent pages.

PCI-DSS v4.0 introduced specific requirements for client-side script security, including the obligation to maintain an inventory of authorized scripts and to monitor for unauthorized changes. Compliance with these requirements directly addresses the attack surface that Magecart groups exploit. Organizations that treat PCI-DSS script monitoring obligations as checkbox exercises rather than active controls tend to remain exposed to e-skimming campaigns regardless of other security investments.

Periodic penetration testing focused on third-party script behavior and payment page integrity provides an independent verification layer that complements automated Magecart detection tooling.