DISCORD ABUSED IN MAGECART ATTACK TO HIDE CREDIT CARD AND PERSONAL DATA THEFT
The Source Defense Cyber Research team has identified a new Magecart-style attack that leverages Discord, a well-known legitimate communication platform, to exfiltrate stolen payment and personal information.
The malicious code was injected directly as inline first-party JavaScript, executed from the merchant’s own domain. While this technique makes the attack invisible to traditional network and script-blocking tools, Source Defense successfully detected and classified the suspicious activity in real time.
This discovery reinforces a growing trend we have observed: threat actors increasingly exploit trusted platforms like Discord, such as Telegram and GitHub, to disguise data theft within legitimate network traffic, instead of using traditional drop servers that are easier to detect and blacklist. This shift highlights that blacklisting alone is not a complete defense strategy.
Attack details
The obfuscated script captured sensitive data from the checkout page — including:
- Credit card number, CVV, expiration date, and cardholder name
- User ID and tax identifier fields
Once collected, the data was concatenated and sent to a Discord webhook endpoint encoded in Base64. The script then marked the session as “complete” in browser storage to avoid duplicate exfiltration.
Several obfuscation and persistence techniques are used:
- Hexadecimal variable mapping and offset array decoding to hide logic flow
- Base64 encoding to conceal the webhook address (discord.com/api/webhooks/...)
- Dynamic event binding to checkout buttons to ensure execution at the point of purchase
- Session markers (requestSent, listenerAttached) to reduce detection footprint
By embedding itself as inline code, this skimmer evaded CSP enforcement and third-party script controls — a hallmark of modern Magecart operations.
Trend of legitimate service abuse
This is not the first instance of attackers abusing legitimate cloud and messaging platforms to exfiltrate data.
Last year, Source Defense uncovered a couple of similar Magecart attacks using another messaging platform as the exfiltration target channel – Telegram – to appear as legitimate one:
In both cases, attackers took advantage of the fact that organizations rarely block access to these popular services, allowing malicious traffic to blend seamlessly into normal operations.
These incidents highlight a growing threat: the weaponization of legitimate services for data theft. As defenders increase scrutiny of suspicious domains, attackers migrate to platforms that appear benign and trustworthy.
Risk & business impact
This attack demonstrates how even trusted, first-party environments can be compromised to capture and export sensitive data — exposing:
- PCI-DSS compliance risks through unmonitored credit card data access
- Data privacy violations (PII exfiltration under GDPR, CCPA, etc.)
- Brand and customer trust erosion due to invisible client-side compromise
The use of Discord (and previously Telegram) amplifies risk by bypassing network filters and security gateways, allowing exfiltration to occur silently through sanctioned traffic channels.
Recommendations
For all organizations managing customer-facing web applications, the following steps are recommended:
- Audit inline scripts regularly for hidden or obfuscated logic.
- Review network egress policies — restrict or log traffic to platforms such as Discord, Telegram, and Slack.
- Leverage runtime monitoring tools to detect abnormal script behavior.
- Maintain continuous visibility into all first-party and third-party code changes.
- Educate developers and marketing teams about the risks of script injection and the abuse of legitimate platforms.
How does Source Defense detect such an attack
Source Defense identified the malicious behavior using its behavioral runtime monitoring engine, which continuously classifies every script action within a web session.
Behavioral Indicators Triggered:
- Accessing Sensitive Data – Read access to PCI and PII form fields
- Data Exfiltration – Attempted data transfer to Discord
- Risky Action – Executing code that evades security scans
- Use of Browser Storage – To persist stolen data
Source Defense’s detection provided full visibility, immediate notification, and the forensic data necessary for swift incident response.
Visual evidence
Below is a screenshot from the Source Defense detection interface, displaying the event and a segment of the malicious code analyzed by our research team.
Conclusions
Source Defense’s patented Client-Side Web App Security platform provides comprehensive visibility and control over every script executing in real time — whether first-party, third-party, or dynamically injected.
With our behavioral classification technology, organizations can:
- Detect anomalous data access and exfiltration attempts instantly
- Audit and classify first-party inline scripts safely
- Enforce policy-level responses for sensitive actions
- Maintain compliance through continuous runtime monitoring
Even in cases where active blocking is not possible (as with inline code), Source Defense empowers customers with the insight to act swiftly — transforming unknown client-side risks into measurable, manageable threats, ensuring our customers stay ahead of the next wave of evasive threats.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.