What is MageCart? How to Detect & Prevent Attacks
What is MageCart?
MageCart malware is a commonly used name for malicious software designed to target ecommerce websites and steal sensitive payment information from online shoppers. Various MageCart groups employ different tactics and techniques, but their primary goal remains the same; to compromise websites, skim credit card details, and harvest sensitive customer data to sell on the black market for a profit.
The name “MageCart” originates from the initial target of these groups: the Magento platform — a widely-used content management system that offers checkout and shopping cart features for numerous online retailers. Originally, the term MageCart referred exclusively to client side infections. However, this term became so popular that it eventually extended to all sorts of credit card skimmers found on both the client and server levels.
How does MageCart Work?
MageCart attacks operate in a systematic manner, often following a four-step process to achieve their goal.
1. Gain access to an ecommerce website:
Attackers typically use two methods to infiltrate a website and inject their malicious code.
The attacker either:
- Exploits vulnerabilities or security flaws in a website’s infrastructure or server to inject or plant the skimmer, or;
- Targets one of your third-party vendors, particularly if they have weaker security measures.
Attackers configure their malware to execute whenever a checkout page is loaded in a browser, or to exfiltrate the data from the backend server during the checkout process.
2. Skim sensitive information from a form:
When a user visits a web page that contains a skimmer, the malware is executed and captures the sensitive data like payment details, credit card information, account credentials, and personal information from the web page.
Different MageCart groups employ various techniques to capture data, but they all involve collecting payment information. Some tactics involve monitoring all keystrokes on a sensitive page, while others focus on intercepting input in specific sections of a web form, such as credit card and CVV fields. Attackers usually conceal the malicious code within seemingly harmless code to evade detection.
3. Send stolen information to the attacker:
As data is harvested from the checkout page, the stolen information is transmitted from the users’ browser to the attacker’s server, telegram bot, email address, or local destination.
4. Receive transmitted information:
At this point, the attackers have successfully completed their mission, and the stolen data can be used for fraudulent purposes or sold on the black market..
Initially, MageCart attacks were relatively simple to identify, but cybercriminals have since adapted their tactics by concealing malicious code through encoding and obfuscation within seemingly harmless sources — such as fake images, audio files, favicons, or even GitHub repos. As a result, it has become increasingly difficult to detect these attacks by merely examining third-party code. To further avoid detection, hackers often encrypt stolen data before transmitting it from the browser, bypassing pattern detection systems designed to identify credit card numbers.
What is the impact of a MageCart malware infection?
MageCart malware can have several detrimental effects on a website, particularly those related to eCommerce. As a website administrator with beginner-intermediate knowledge, it’s essential to understand the potential impacts and symptoms of MageCart attacks.
Here are some potential impacts of MageCart malware on an ecommerce store.
Theft of customer information:
- Primarily targets credit card information
- Can also steal other personal data
- Potentially affects millions of shoppers
Legal and compliance damages:
- MageCart attacks and other malware expose companies to possible lawsuits by affected customers
- Legal penalties if the company is subject to regulations like GDPR compliance and regulations
- Industry penalties such as a PCI DSS audit, fines, and the inability to process credit cards
- Ecommerce retailers may experience a decrease in online sales
- Customers may lose trust in the retailer’s ability to prevent future breaches
- MageCart groups can exfiltrate user login and administrator credentials
- This could lead to the expansion of the attack to infect additional sites in shared server environments
Large brands are not immune to these attacks, either. MageCart groups have managed to compromise several renowned brands, demonstrating their ability to infiltrate even high-profile websites.
Need to clean your website from malware?
Looking for help setting up security for your website? Our pros are here to assist you 24/7!
Different types of MageCart attacks
MageCart attacks can be categorized into several types:
- Client side MageCart attacks
- Server side MageCart attacks
- Hybrid MageCart attacks
Let’s take a look at some examples of these infections.
Client side MageCart attacks
The second scenario can occur when the attackers are able to obtain write-access to the file system. This can occur in a number of different ways, for example compromised web hosting panels or FTP accounts, administrator accounts where file-editing access is enabled (such as by-default on WordPress environments if DISALLOW_FILE_EDIT hardening rules are not configured), or in websites where vulnerabilities are present which allows attackers to modify the file system.
Server side MageCart attacks
If attackers are able to compromise the file system, they may choose to inject a PHP-based skimmer. These are more difficult to detect as they are not visible in a web browser.
Magecart infections on the server can take several forms, including:
- A compromised PHP file related to the checkout process (such as Magento payment processing or WooCommerce files)
- A malicious or infected plugin, theme, or core file (such as in WordPress environments)
In rare cases, attackers have also been observed compromising servers on the root level and replacing the actual binaries on the server with malicious versions.
Hybrid MageCart attacks
How to detect MageCart?
For PHP based infections, our server side scanner is a very useful tool for monitoring for malicious injections as well as file modifications which you may not recognise.
Keep in mind that attackers spend a great deal of time and other resources into writing new malware to evade detection from existing security signatures, so any unrecognized file modifications should be investigated even if no malware or security warning is present.
How to cleanup MageCart malware
MageCart malware infections can be challenging security incidents to investigate and remediate, and even seasoned professionals can sometimes struggle with identifying the source of the payload. If your eCommerce website has a known skimming attack we highly recommend contacting professionals to assist.
If you are trying to cleanup an infection yourself, check out our step-by-step malware cleanup guides below:
- How to clean a hacked website
- How to clean a hacked Magento website
- How to clean a hacked WordPress website
Finding and removing a MageCart infection comes down to a few core concepts:
- Reviewing recently modified files, or files modified within the timeframe of reported credit card theft/fraud related to your website
- Inspecting your checkout page for any strange behavior
- Running integrity checks of your core files and/or payment module files
- Checking plugin, theme or core files which do not match known-good checksums
Be sure to make a full website backup prior to any changes to your environment.
How to protect your ecommerce store from MageCart
MageCart attacks on ecommerce stores can lead to severe consequences, including financial losses and damage to a company’s reputation.
As more websites handle payment information from users, the prevalence of MageCart-style attacks and sophisticated botnet attacks using stolen credentials is increasing. To safeguard your online business, it is essential to adopt an end-to-end web security strategy that not only mitigates MageCart attacks in the browser but also protects backend infrastructure from threats.
Take the following necessary precautions to protect your online store:
- Regularly update your software, including CMS, plugins, themes, and other third party code
- Use strong and unique passwords for all of your accounts, including, admins, sFTP, and database credentials
- Monitor your site for unauthorized access or changes
- Implement a web application firewall and intrusion detection system to block bad bots, virtually patch known vulnerabilities, and protect against malware
You’ll also want to focus on restricting unauthorized access to sensitive data; that means practicing the principle of least privilege to mitigate risk. Be sure to implement a robust security solution that examines and controls all API calls made by your website to the browser. This should ensure that only approved access to sensitive data is granted, preventing malicious or non-essential third-party scripts from obtaining customer information.
Any security system you implement should also include monitoring features that send alerts when any indicators of compromise are detected.
Need help protecting your ecommerce store from malware?
Respond quickly to threats. Take your security to the next level with the Sucuri Platform.
Sucuri Resource Library
Say on top emerging website security threats with our helpful guides, email, courses, and blog content.