by | 19 Oct 2016

Magecart Keylogger: hackers target eCommerce sites

A new type of malware called Magecart, has comprimised over 100 eCommerce sites and secretely logs data entered on checkout pages, sending it to the hacker’s server. The peculiarity of the Magecart campaign is that threat actors were injecting a keylogger directly into the target website. How the Magecart malware is working? How to know if your eCommerce site has been compromised ?

Magecart malware is targeting Magento, OpenCart, Braintree, VeriSign

RIskiQ ‘s researchers have been monitoring a campaign dubbed Magecart that compromised many ecommerce websites to steal payment card and other sensitive data.

Since March 2016, numerous credit cards and other details have been stolen during payment from dozens of online shops worldwide. Malicious JavaScript code acting as a form grabber or a simple “cloud based” keylogger was injected into breached shops. As buyers filled in their payment details, the data was captured and sent in real time to the attacker.

By the end of June 2016, Sucuri had stumbled upon a variant of Magecart, that was targeting Magento stores that was using the Braintree Magento extension to support payments through the Braintree platform.

The hackers now targeted several eCommerce platforms including Magento, Powerfront CMS and OpenCart and several payment processing services, including Braintree and VeriSign.

How the Magecart malware is operating?

In order to implant the malicious JavaScript code, the attackers first had to get access to change the source code of the website. They might have gained this access by exploiting a vulnerability in the web platform or by getting a hold of admin credentials.

Then, the attackers inject a JavaScript code directly in the websites to capture data entered by users, the researchers highlighted also the ability of the malicious code to add bogus form fields to the compromised website in an effort to collect more information from the victims:


Technical details and image from RiskiQ

You should not dismiss the potential threat of the Magecart malware, which is continuously evolving to target an increased scope of eCommerce and payment platforms. According to RiskiQ, the malware is now able to obfuscate to hinder analysis and identification. Read the article Malware: infected sites and SEO to learn more about the consequences of a malware on your eCommerce site.

How do I know if my eCommerce site is infected by Magecart malware?

To know if your eCommerce site is really  infected or not, you have to assess your site risk level with an advanced security solution. Visit, fill the form for a free assessment and discover in a matter of minutes if you are infected by a sophisticated malware. Are you?

capture-decran-2016-10-16-a-14-15-22If you are infected, OZON cybersecurity solution will remove the malware from your website by patching it and prevent from being ever infected again in the future.