Security Operations, SOC, Incident Response, Application security, Third-party code

Magecart network targeted Amex, Diners Club, MasterCard since 2022

Shopping online. cardboard box with a shopping cart logo in a trolley on a laptop keyboard. Shopping service on The online web.

(Adobe Stock)

An extensive network of domains associated with an ongoing Magecart web-skimming attack targeting major credit card companies, their clients, and third-party payment processors, has been active since early 2022.

In a Jan. 13 blog post, Silent Push researchers said the most likely victims of this long-running Magecart campaign are online shoppers, compromised e-commerce stores, and the payment providers.

This campaign has targeted at least these six providers: American Express, Diners Club, Discover, JCB Co., Ltd., MasterCard, and Union Pay. Organizations that are the clients of these payment providers are the most likely to have been compromised.

The researchers said people refer to Magecart in describing client-side attacks that covertly exfiltrate sensitive user data from web forms during online transactions, encompassing activity from both the original groups and all subsequent copycat groups. While the first Magecart attacks were observed as early as 2010, the first mass-executed attacks took place in 2015.

Noelle Murata, senior security engineer at Xcape, Inc., said Silent Push’s findings reveal that this most recent Magecart network uncovered isn't an isolated event, but a widespread, long-running skimming operation. Active since early 2022, Murata said it uses bulletproof hosting techniques to silently steal payment information from e-commerce checkouts.

“Magecart doesn’t crash systems,” said Murata. “It quietly extracts trust, one transaction at a time. “Businesses need to understand that every third-party script on their payment page is a potential entry point that's likely already been exploited. The campaign's longevity indicates a serious failure in third-party script management; most companies still treat their checkout pages as static tool collections rather than dynamic, vulnerable attack surfaces.

Shane Barney, chief information security officer at Keeper Security, explained that Magecart campaigns persist because they take advantage of a structural weakness in how many organizations think about web security. By operating entirely in the browser, Barney said these attacks bypass many of the controls designed to protect servers, networks and backend systems, allowing sensitive payment and personal data to be intercepted without obvious signs of compromise.

“Rather than disrupting transactions or exploiting payment processors directly, threat actors inject malicious JavaScript into a compromised site or third-party dependency and wait for the checkout process to begin,” said Barney. “Data is skimmed in real-time and quietly exfiltrated, often before the legitimate payment flow resumes. From the user’s perspective, the site may appear to function normally, making the compromise difficult to detect and easy to miss.”

Barney added that these campaigns continue to succeed because they are quiet, scalable and profitable.

“Organizations that do not actively monitor browser-level activity often only become aware of a compromise after customers, financial institutions, or payment providers raise concerns – long after data has already been lost,” said Barney.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BannerBlue TeamCold Warm Hot Disaster Recovery SiteCommon Gateway Interface (CGI)Computer Emergency Response Team (CERT)CookieCronDLL InjectionDaemonStimulus

You can skip this ad in 5 seconds