When one magecart attack isn’t enough; three attacks, one website
The Source Defense Research Team has uncovered a rare and dangerous scenario: Three distinct Magecart campaigns attacking the same Australian e-commerce website at the same time.
This finding underscores a troubling trend: once a website is compromised, it can become a battleground for multiple criminal groups, all attempting to skim customer payment data simultaneously.
The three attacks:
1. Magecart script loaded from WebSocket
How it works:
Injected code opens a WebSocket to jgueurystatic[.]xyz. The Magecart script is delivered via an incoming WebSocket message. Stolen payment data is sent back using an XHR request to the same domain.
Scope:
Found active on ~25 websites worldwide.
2. 3rd-party Magecart script
How it works:
Loads a Magecart script directly from the 3rd party domain worksgethub[.]com. After capturing payment details, the script exfiltrates data via a GET request disguised as a script request to the same domain.
Scope:
Found active on 5 e-commerce websites.
3. Inline 1st-party Magecart script exfiltrates data to compromised legitimate domains
How it works:
Malicious code is placed inline within a first-party script. Captures payment data and sends it to both altraxpart[.]be and avrelibeds[.]com. Seemingly legitimate domains that were compromised by the attacker
Scope:
Found active on over 250 e-commerce websites worldwide.
A Hidden Tug-of-War for Stolen Data
On the compromised Australian site, all three skimming campaigns activated simultaneously. Surprisingly, the first two attacks overrode and blocked the data-stealing methods of the third attack, meaning that only those first two groups were actively exfiltrating data.However, after our research team isolated and neutralized the first two attacks, the third skimmer immediately activated and began stealing data—confirming that multiple groups were competing for the same sensitive information.
Why this matters
This finding illustrates three key realities:
- One breach invites more.
A compromised site often becomes a soft target for multiple groups. - First-party trust isn’t enough.
Attack #3 shows that attackers can plant malicious code directly inside trusted first-party scripts. - Traditional security tools can’t untangle this mess.
Multiple concurrent attacks can hide each other, making detection and forensic analysis extremely difficult without behavior, real-time monitoring.
How Source Defense protects you
For Protect customers, these attacks from 3rd party scripts are automatically blocked.For Detect users, our platform provides alerts when:
Summary
Three Magecart campaigns fighting over one checkout page—while customers remain unaware—demonstrate just how ferocious and competitive the skimming ecosystem has become.The takeaway is clear: focusing on one attack type at a time isn’t enough. Only a comprehensive, proactive solution can protect customers against multiple, simultaneous threats.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.