Widespread Magecart Campaign Targets Users of All Major Credit Cards

The Magecart phenomenon has moved from isolated incidents to a coordinated, global threat that now targets every major card brand. Silent Push’s latest investigation reveals a campaign operating since 2022, siphoning Mastercard, American Express, Discover, Diners Club, JCB and UnionPay credentials across thousands of e‑commerce sites. By embedding malicious JavaScript on seemingly harmless domains, the attackers exploit the trust placed in third‑party scripts, turning ordinary checkout pages into data‑harvesting conduits. This level of scale underscores how web‑skimming has become a foundational tool in the cyber‑crime arsenal, and the financial fallout from such breaches can reach millions, eroding consumer confidence.

The new strain of Magecart code is engineered for stealth. It monitors the browser for the WordPress Admin Bar and self‑destructs the moment an administrator logs in, effectively hiding from routine site audits. Its most deceptive feature is the ‘double‑entry’ trick: the script replaces the genuine payment widget with a replica that captures card number, name and address, then instantly restores the original form and displays a fabricated error. Shoppers, convinced they made a typo, re‑submit their details, unknowingly delivering their credentials to the threat actors. The script also logs the victim’s IP, enabling later credential stuffing attacks.

Mitigating this attack requires a shift from perimeter defenses to rigorous script integrity controls. E‑commerce operators should adopt content‑security‑policy headers, employ subresource integrity checks, and whitelist only verified third‑party providers. Continuous monitoring tools that detect DOM‑mutation anomalies can flag suspicious form swaps in real time. For consumers, vigilance—such as scrutinizing repeated payment prompts and regularly reviewing statements—remains essential. As regulators tighten standards for payment data protection, the industry’s collective response will determine whether Magecart’s invisible skimmers can be contained. Adopting zero‑trust networking principles further reduces the attack surface for malicious scripts.