Magecart Hack Injects JavaScript to Steal Online Payment Data

Magecart groups have long exploited third‑party script inclusion to skim payment data, but the latest campaign demonstrates a heightened level of operational maturity. By leveraging heavily obfuscated JavaScript that only activates when a valid card number is entered, the attackers reduce noise and avoid detection by basic pattern‑matching tools. The use of a single hosting IP across dozens of look‑alike domains suggests a shared infrastructure, enabling rapid redeployment if any single domain is taken down. This modular approach also complicates attribution, as multiple threat actors can reuse the same code base.

Technical analysts deobfuscated the payload using debugger breakpoints and Python string manipulation, revealing event listeners attached to checkout fields and a conditional check for numbers longer than 14 characters. The script then sends the harvested data to pstatics.com via an XMLHttpRequest, a method that blends in with legitimate traffic. Researchers mapped the ecosystem with free tools like URLScan, publicWWW, and WHOIS, uncovering related domains such as jgetjs.com and utilanalytics.com. This open‑source reconnaissance underscores how even modest security budgets can uncover sophisticated threat networks when proper threat‑hunting practices are applied.

For merchants, the takeaway is clear: reliance on third‑party scripts without verification is a high‑risk posture. Implementing a strict Content‑Security‑Policy that whitelists only trusted sources, coupled with Subresource Integrity hashes, can block unauthorized code execution. Isolating payment forms in sandboxed iframes further limits exposure, ensuring that even if a script is injected, it cannot access sensitive fields. Continuous monitoring for unexpected <script> tags and outbound POST requests to unknown domains should become a baseline control, protecting both brand reputation and consumer trust.