What is MageCart? How to Detect & Prevent Attacks

What is MageCart?

MageCart malware is a commonly used name for malicious software designed to target ecommerce websites and steal sensitive payment information from online shoppers. Various MageCart groups employ different tactics and techniques, but their primary goal remains the same; to compromise websites, skim credit card details, and harvest sensitive customer data to sell on the black market for a profit. 

The name “MageCart” originates from the initial target of these groups: the Magento platform — a widely-used content management system that offers checkout and shopping cart features for numerous online retailers. Originally, the term MageCart referred exclusively to client side infections. However, this term became so popular that it eventually extended to all sorts of credit card skimmers found on both the client and server levels.

How does MageCart Work?

MageCart attacks operate in a systematic manner, often following a four-step process to achieve their goal.

1. Gain access to an ecommerce website:

Attackers typically use two methods to infiltrate a website and inject their malicious code.

The attacker either:

  • Exploits vulnerabilities or security flaws in a website’s infrastructure or server to inject or plant the skimmer, or;
  • Targets one of your third-party vendors, particularly if they have weaker security measures.

Attackers configure their malware to execute whenever a checkout page is loaded in a browser, or to exfiltrate the data from the backend server during the checkout process.

2. Skim sensitive information from a form:

When a user visits a web page that contains a skimmer, the malware is executed and captures the sensitive data like payment details, credit card information, account credentials, and personal information from the web page.

Different MageCart groups employ various techniques to capture data, but they all involve collecting payment information. Some tactics involve monitoring all keystrokes on a sensitive page, while others focus on intercepting input in specific sections of a web form, such as credit card and CVV fields. Attackers usually conceal the malicious code within seemingly harmless code to evade detection.

3. Send stolen information to the attacker:

As data is harvested from the checkout page, the stolen information is transmitted from the users’ browser to the attacker’s server, telegram bot, email address, or local destination.

4. Receive transmitted information:

At this point, the attackers have successfully completed their mission, and the stolen data can be used for fraudulent purposes or sold on the black market..

23-Sucuri_Guide_What is MageCart- How to Detect & Prevent Attacks-diagram

Initially, MageCart attacks were relatively simple to identify, but cybercriminals have since adapted their tactics by concealing malicious code through encoding and obfuscation within seemingly harmless sources — such as fake images, audio files, favicons, or even GitHub repos. As a result, it has become increasingly difficult to detect these attacks by merely examining third-party code. To further avoid detection, hackers often encrypt stolen data before transmitting it from the browser, bypassing pattern detection systems designed to identify credit card numbers.

What is the impact of a MageCart malware infection?​

MageCart malware can have several detrimental effects on a website, particularly those related to eCommerce. As a website administrator with beginner-intermediate knowledge, it’s essential to understand the potential impacts and symptoms of MageCart attacks.

Here are some potential impacts of MageCart malware on an ecommerce store. 

Theft of customer information:
  • Primarily targets credit card information
  • Can also steal other personal data
  • Potentially affects millions of shoppers
Legal and compliance damages:
  • MageCart attacks and other malware expose companies to possible lawsuits by affected customers
  • Legal penalties if the company is subject to regulations like GDPR compliance and regulations
  • Industry penalties such as a PCI DSS audit, fines, and the inability to process credit cards
Revenue loss:
  • Ecommerce retailers may experience a decrease in online sales
  • Customers may lose trust in the retailer’s ability to prevent future breaches
Further infection:
  • MageCart groups can exfiltrate user login and administrator credentials
  • This could lead to the expansion of the attack to infect additional sites in shared server environments

Large brands are not immune to these attacks, either. MageCart groups have managed to compromise several renowned brands, demonstrating their ability to infiltrate even high-profile websites. 

Need to clean your website from malware?

Looking for help setting up security for your website? Our pros are here to assist you 24/7!

Different types of MageCart attacks​

MageCart attacks can be categorized into several types:

  • Client side MageCart attacks
  • Server side MageCart attacks
  • Hybrid MageCart attacks

Let’s take a look at some examples of these infections.

Client side MageCart attacks

MageCart attacks that occur solely on the client side work exclusively in the user’s browser. Hackers use JavaScript to harvest and exfiltrate customer information from checkout forms and payment pages. 

MageCart Javascript injections typically take two different forms:

  1. Injecting a malicious, standalone JavaScript file from a malicious domain, usually into the website database.
  2. Injecting malicious JavaScript code into an already-existing file on the website which loads during the checkout process.

The first scenario can occur through a few different ways, but often involves compromised administrator panels in environments like Magento or WordPress/WooCommerce. Compromised or malicious admin accounts can abuse admin panel functionality like miscellaneous JavaScript fields (otherwise used to place things such as Google Tag Manager scripts or web analytics scripts), widgets, or post/page content.


The second scenario can occur when the attackers are able to obtain write-access to the file system. This can occur in a number of different ways, for example compromised web hosting panels or FTP accounts, administrator accounts where file-editing access is enabled (such as by-default on WordPress environments if DISALLOW_FILE_EDIT hardening rules are not configured), or in websites where vulnerabilities are present which allows attackers to modify the file system.

Server side MageCart attacks

If attackers are able to compromise the file system, they may choose to inject a PHP-based skimmer. These are more difficult to detect as they are not visible in a web browser. 

Magecart infections on the server can take several forms, including:

  1. A compromised PHP file related to the checkout process (such as Magento payment processing or WooCommerce files)
  2. A malicious or infected plugin, theme, or core file (such as in WordPress environments)

In rare cases, attackers have also been observed compromising servers on the root level and replacing the actual binaries on the server with malicious versions.

Hybrid MageCart attacks

Hybrid attacks occur when a hacker injects both client-side JavaScript code that steals information and server side PHP code designed to process or exfiltrate stolen information. The malicious Javascript captures payment details in the web browser and sends it back to the server-side portion of the skimmer located on the same server. Because the exfiltration occurs behind the scenes, the attacker prevents visible requests to third party resources, evading detection from monitoring services. 

How to detect MageCart?​

Detecting a MageCart infection on a website depends on the type of malware, whether it is JavaScript or PHP based. JavaScript infections can be seen in the browser and by some antivirus programs, whereas PHP infections require server-side and file-integrity monitoring to detect.

Script blocker browser extensions like NoScript can be very useful to check if there is JavaScript loading from malicious or unfamiliar third-party domains on the checkout page. Other tools such as EKFiddle are useful for web traffic inspection to identify any malicious JavaScript injected into checkout files.

For PHP based infections, our server side scanner is a very useful tool for monitoring for malicious injections as well as file modifications which you may not recognise.

Keep in mind that attackers spend a great deal of time and other resources into writing new malware to evade detection from existing security signatures, so any unrecognized file modifications should be investigated even if no malware or security warning is present.

How to cleanup MageCart malware​

MageCart malware infections can be challenging security incidents to investigate and remediate, and even seasoned professionals can sometimes struggle with identifying the source of the payload. If your eCommerce website has a known skimming attack we highly recommend contacting professionals to assist.

If you are trying to cleanup an infection yourself, check out our step-by-step malware cleanup guides below:

Finding and removing a MageCart infection comes down to a few core concepts:

  1. Reviewing recently modified files, or files modified within the timeframe of reported credit card theft/fraud related to your website
  2. Inspecting your checkout page for any strange behavior
  3. Checking for any JavaScript injected into the database
  4. Running integrity checks of your core files and/or payment module files
  5. Checking plugin, theme or core files which do not match known-good checksums

Be sure to make a full website backup prior to any changes to your environment.

How to protect your ecommerce store from MageCart​

MageCart attacks on ecommerce stores can lead to severe consequences, including financial losses and damage to a company’s reputation.

As more websites handle payment information from users, the prevalence of MageCart-style attacks and sophisticated botnet attacks using stolen credentials is increasing. To safeguard your online business, it is essential to adopt an end-to-end web security strategy that not only mitigates MageCart attacks in the browser but also protects backend infrastructure from threats.

Take the following necessary precautions to protect your online store:

  • Regularly update your software, including CMS, plugins, themes, and other third party code
  • Use strong and unique passwords for all of your accounts, including, admins, sFTP, and database credentials
  • Only use third-party JavaScript from reputable sources and be selective about the third party scripts you add to your website
  • Monitor your site for unauthorized access or changes
  • Implement a web application firewall and intrusion detection system to block bad bots, virtually patch known vulnerabilities, and protect against malware
  • Set up a Content Security Policy (CSP) header on your ecommerce store. These HTTP response headers can help add an additional layer of protection from clickjacking and cross-site scripting (XSS), prevent data exfiltration via allowlists for trusted network locations, and enhance your security by allowing an admin to set browser resource restrictions for JavaScript and CSS.

You’ll also want to focus on restricting unauthorized access to sensitive data; that means practicing the principle of least privilege to mitigate risk. Be sure to implement a robust security solution that examines and controls all API calls made by your website to the browser. This should ensure that only approved access to sensitive data is granted, preventing malicious or non-essential third-party scripts from obtaining customer information. 

Any security system you implement should also include monitoring features that send alerts when any indicators of compromise are detected. 

Need help protecting your ecommerce store from malware?

Respond quickly to threats. Take your security to the next level with the Sucuri Platform.

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.


Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.


Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.