by Source Defense
In 2024, Magecart attacks reached new levels of sophistication, targeting thousands of e-commerce websites worldwide. At Source Defense Research, we tracked dozens of campaigns leveraging advanced techniques, from exploiting Google Tag Manager to innovative uses of WebSockets and payment form forgeries. These attacks highlight the adaptability of attackers in the face of evolving security standards, particularly with the anticipated implementation of PCI DSS 4.0.1 as it becomes mandatory in March 2025.
Fake Stripe payment page
Attack Methods
Heavy Use of Google Tag Manager (GTM)
Google Tag Manager was a prominent tool leveraged by attackers to hide malicious domains. Over 70 distinct GTM IDs were identified in attacks across thousands of websites. These GTMs called scripts from more than 30 malicious domains, while in four cases, the malicious code was embedded directly in the GTM configuration itself. Attackers adapted by using the same GTMs to call different domains over time. Some attacks also hide behind a chain of a few GTMs calling each other, further complicating detection efforts.
One of many GTMs calls the known magecart domain gstatis./co
Exploitation of WebSocket Connections
WebSocket connections emerged as a significant attack vector in 2024. Malicious scripts that use traditional Silent attacks such as keylogging, opened WebSockets to covertly transmit stolen payment data. In most cases, a first-party script initiated the WebSocket, and the attacker JS was delivered as a WebSocket message. This technique allowed attackers to bypass many conventional detection methods, leveraging the real-time nature of WebSockets to exfiltrate data efficiently.
Imitation of Payment Gateways
One of the most alarming trends is the rise of fake payment page attacks targeting two types of websites. The first type uses third-party payment providers to handle transactions, while the second collects payment details directly but fails to secure earlier stages of the purchase flow. Attackers have employed various tactics, including double-entry attacks with fake iframes mimicking payment forms or redirecting users to malicious domains hosting counterfeit pages. These fake pages often imitate well-known providers such as PayPal, Stripe, and over 20 others. After capturing credit card details, attackers typically redirect users to the legitimate payment page, leaving both customers and site administrators unaware of the breach.
Fake Stripe payment page
The Polyfill Incident: When Open-Source Goes Rogue
One of the more alarming events in 2024 was the compromise of a commonly used open-source JavaScript library hosted on the Polyfill domain. This widely adopted library provided essential functionality to many websites, particularly those needing cross-browser compatibility. However, in a dramatic turn, the Polyfill domain was purchased by an unknown and suspicious entity, and the previously benign code was replaced with malicious scripts. Thousands of websites unknowingly served the compromised script to their users, exposing them to Magecart-like attacks and other malicious activities. This event underscores the risks inherent in relying on third-party libraries, especially when they are hosted on external domains and lack rigorous tracking changes.
The Magento CVE-2024-34102 vulnerability
No review of 2024’s key e-commerce events would be complete without mentioning the second major incident of the year — the CVE-2024-34102 vulnerability affecting Magento 2.
This vulnerability has been exploited by multiple hacker groups using a range of attack methods, including injecting malicious JavaScript through compromised third-party services and supply chain attacks. Common tactics included fake payment forms to steal sensitive information, data exfiltration via WebSockets to evade detection, and embedding malicious code through Google Tag Manager IDs.
Attackers demonstrated a high degree of adaptability by employing varied approaches to maximize their reach, leading to widespread impact. More than 10,000 websites, from small businesses to large enterprises, were compromised due to the prevalence of Adobe Magento as a leading e-commerce platform.
The attack is ongoing, and the vulnerability remains actively exploited today, underscoring the difficulty in fully mitigating its effects.
The Shadow of PCI DSS 4.0.1
The PCI DSS 4.0.1 standard, set to take effect in March 2025,
This new version emphasizes monitoring and managing client-side code and changes on pages that collect credit card details. While this is a significant step forward, it leaves gaps that Magecart attackers have already begun exploiting.
Many e-commerce sites delegate payment processing to external providers, believing this removes them from the scope of PCI DSS compliance. However, Magecart attackers have identified this as a vulnerability, crafting targeted campaigns to exploit these “safe zones.”
Additionally, by focusing on pre-payment stages—such as shopping carts or review pages—attackers circumvent the protections mandated by PCI DSS, embedding malicious forms that capture sensitive payment information before customers reach secure gateways.
A fake checkout iframe with a payment form on the cart page, just before the actual checkout URL
Conclusion
The Magecart attacks of 2024 underscore the evolving nature of e-commerce threats. Attackers are leveraging increasingly sophisticated methods to exploit gaps in security and compliance standards. With PCI DSS 4.0.1 on the horizon, organizations must take proactive steps to monitor their entire transaction ecosystem and adapt to emerging threats.
By prioritizing a security-first approach and staying vigilant against evolving attack vectors, e-commerce platforms can safeguard their customers and maintain trust in an ever-changing threat landscape.
To combat these sophisticated attacks, it’s clear that security measures need to go beyond compliance. A holistic approach is essential, including monitoring the entire purchase journey: Security should extend across all stages of the user journey, not just the final payment page. This includes tracking changes and interventions on shopping cart pages, review screens, and other pre-payment steps. Regular audits of third-party tools like GTM and WebSocket connections can help identify and mitigate malicious activity before it escalates.
Finally, awareness campaigns should focus on identifying counterfeit payment forms and ensuring e-commerce administrators understand the risks of relying solely on compliance.
How Source Defense Keeps You Secure and Compliant with Source Defense
Staying ahead of threats like Magecart requires more than just meeting compliance standards—it demands proactive, comprehensive security. Source Defense goes beyond PCI DSS 4.0.1 requirements by securing every stage of the customer journey, from shopping carts to payment pages.
Our patented VICE technology isolates third-party scripts, preventing unauthorized access to sensitive data and blocking attacks in real-time. This approach not only ensures compliance but also provides peace of mind, knowing your platform and customers are protected.
With Source Defense, you’re not just compliant—you’re secure. Let us help you safeguard your e-commerce platform and simplify your path to a safer future.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
