This article is more than 1 year old

Payment-card-skimming Magecart strikes again: Zero out of five for infecting e-retail sites

Customer ratings plugin treated to a malicious rewrite to swipe entered banking info

The payment-card-skimming malware operation dubbed Magecart has turned up again, this time in Shopper Approved, a customer rating plugin for websites.

Shopper Approved is a toolkit used by hundreds of e-commerce sites, and it was infected with the MageCart spyware, allowing crooks to siphon off bank card data entered into webpages using the customer-rating plugin, infosec biz RiskIQ reported this week. The infection, first spotted on September 15, closely resembles the cyber-attack that emerged over the summer against Ticketmaster rather than the later and more sophisticated, and high profile, raid on British Airways passengers.

In all of these cases, third-party software components were hacked to plant credit-card-skimming JavaScript code on the payment pages of websites embedding said components. In other words, crims broke into the servers hosting these software add-ons, and altered the JavaScript to silently and secretly upload to hacker-controlled systems financial data typed in by victims into the websites using the hijacked add-ons.

Initially, in this case, the data thieves made a mistake, and the card-slurping code was left clearly noticeable. However, the mistake was quickly spotted and quietly sorted by the crooks.

It's going to get worse

Magecart refers to a toolkit of malicious software and half a dozen groups of miscreants deploying this code, rather than a single group of cybercriminals. “The six groups under Magecart have ramped up their operations, becoming more clever, and in many cases, sophisticated, with each attack,” RiskIQ's Yonathan Klijnsma warned.

"Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. These attacks are only getting more and more traction as the groups learn how to become more effective."

RiskIQ worked with Shopper Approved to block and remediate the infection, which was curtailed by mid September. This cleared the way for RiskIQ to go public with its findings on Tuesday this week.

People playing whack-a-mole game

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS


El Reg asked US-based Shopper Approved to explain what how it was handling the fallout of network intrusion, and what advice it had for its customers.

"Upon learning of the event, we promptly initiated an internal investigation, engaged a leading IT forensics firm to assist in our review and took steps to remediate the issue and enhance our security features for both our website and the Shopper Approved seal. Additionally, we have worked closely with researchers at RiskIQ to better understand the issue and help protect against similar events in the future," a Shopper Approved spokesperson told The Register in a statement.

"The incident only affected a small portion of our customers that use the Shopper Approved seal on their website, and we have reached out directly to those we believe may have been affected. The security of our systems and customers is a top priority for Shopper Approved, and we regret any inconvenience this incident may have caused." ®


Magecart is using more and more cunning techniques to evade detection, according to security researcher Willem de Groot, here.

More about

More about

More about


Send us news

Other stories you might like