A MASQUERADING SKIMMER QUIETLY STEALING FROM HUNDREDS OF STORES FOR YEARS
An organized Magecart group has been quietly stealing credit card data from hundreds of online stores for years now, by doing two things extremely well:
- constantly changing the malware on each victim site
- hiding the stolen data inside normal traffic to legitimate businesses.
Instead of a single, easily blockable skimmer, they built a “malware factory” that generates a unique script for every store, tailored to its payment provider, while exfiltrating payment details to more than 30 hijacked company websites that appear completely trustworthy to traditional tools.
The result is a long-running campaign that signature-based antivirus, domain blacklists, and most web scanners simply do not see, even as full card data, billing details, and contact information are harvested directly from checkout pages.
Attack details
The attackers are exploiting an unpatched critical Magento/Adobe Commerce vulnerability to drop a backdoor file into the public web directory and gain persistent access to the store’s code.
From there, they deploy a customized JavaScript skimmer into the checkout experience that looks different on every site: code structure, obfuscation tricks, and variable layouts all change, but the behavior is the same. The script “stalks” the payment flow by polling the checkout DOM, waiting for shoppers to reach the payment step, then reading credit card fields, contact details, and billing information directly in the browser.
Instead of sending this data to obvious criminal infrastructure, it posts it to more than 30 compromised, legitimate business domains (such as furniture retailers, gyms, and regional companies) that have valid certificates and long-standing reputations, and in every case the stolen data is funneled to the exact same URL path on those sites, /pub/health_check.php, giving the attackers a single, consistent collection point that still looks like a harmless health check in most logs.
This combination of polymorphic client-side malware and a hijacked, path-consistent collection network has allowed the campaign to persist for years while quietly feeding tens of thousands of cards into downstream fraud.
How Source Defense protects you
Source Defense is designed specifically to stop this kind of “shapeshifting” Magecart activity by focusing on behavior in the browser rather than static signatures or domain reputation. By continuously governing first-party script actions across your entire website – in addition to the payment pages – Source Defense can report on access to PCI data fields, detect attempts to read payment card numbers and CVV at the point of input, and identify efforts to transfer that data to external destinations, even when those destinations are seemingly legitimate businesses.
Furthermore, as part of this research, the Source Defense research team identified newly compromised domains and proactively marked them as blacklisted – before they appeared on traditional reputation lists. As a result, Source Defense customers would receive alerts if such an attack was active, as opposed to only being alerted when it becomes widely recognized – if at all.
In practice, when a script on your site begins to behave like this campaign’s skimmer – accessing PCI fields or attempting to send data to a new external host or even worst – a blacklisted domain – the platform surfaces clear signals such as:
- Accessing PCI data
- Transferring data
- Sending data to blacklisted domain
- Using 1st party cookies
- Using browser storage
These appear in the notification center and dashboard summaries, and can be forwarded via email or webhook into SIEM, SOAR, or ticketing systems so your security and operations teams receive immediate, correlated visibility, long before traditional tools would recognize a problem.
Key takeaways
This campaign is a textbook example of why traditional security controls – antivirus, domain blacklists, WAFs, and server-side logging alone – are not enough to stop modern eSkimming and Magecart attacks that live entirely in the browser and disguise themselves behind trusted businesses. They’re also often too slow: domain reputation systems typically lag newly compromised infrastructure, leaving a detection gap right when attackers first rotate to “fresh” destinations.
The attackers succeeded not because they were invisible everywhere, but because no one was watching what the JavaScript on the checkout page was actually doing to cardholder data. Client-side, behavior-based protection fills that gap: it helps you comply with PCI DSS 4.0.1 requirements for script control and change detection, sharply reduces the likelihood of a costly PCI investigation and mass customer notification event, and gives you confidence that even long-running, shapeshifting campaigns cannot silently siphon off card data from your customers while your existing stack reports that everything is normal. And when attackers try to hide behind newly compromised, seemingly legitimate domains, Source Defense closes the timing gap too; our research team continuously identifies and preemptively blacklists these domains ahead of mainstream lists, so you can detect and respond while the attack is still active, not after it’s widely recognized.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.