TL;DR
- Magecart attacks inject malicious JavaScript into websites to steal sensitive data like credit card numbers, PII, and login credentials — often undetected.
- Client-side vulnerabilities enable Magecart skimming, especially in third-party scripts and browser-side applications.
- Security teams often lack visibility into what happens in the user’s browser, leaving gaps in compliance and protection.
- Traditional server-side controls miss Magecart behavior, making client-side threat monitoring essential for PCI DSS and SOC 2 compliance.
- Feroot provides real-time visibility and policy enforcement for JavaScript behavior, helping prevent skimming attacks before they result in breaches or fines.
Introduction
By now, you’ve likely heard about Magecart attacks — or maybe even experienced one firsthand. Over the last few years, digital skimming has become a go-to tactic for cybercriminals targeting websites and web applications. Major organizations like Macy’s, Ticketmaster, the American Cancer Society, P&G’s First Aid Beauty, British Airways, and Newegg have all made headlines due to these breaches.
But most victims don’t make the news.
- The majority of affected businesses by Magecart attacks are small to mid-sized organizations with 50 to 1,000 employees.
- These companies often lack the advanced client-side protections that Magecart attackers now routinely exploit.
As threat actors pivot away from well-defended server-side environments, they’ve zeroed in on the client side — the part of your website that interacts directly with users. Why? Because it’s easier to compromise, often overlooked, and rich with sensitive customer data.
Forward-thinking security teams are responding by shifting focus from backend infrastructure to client-side environments. The goal? To detect and stop skimming scripts before they compromise user trust and regulatory compliance.
Let’s take a closer look at how Magecart and other skimming attacks operate — and why client-side security is no longer optional.
What is Magecart?
Magecart is a commonly used name for loosely affiliated threat groups that use digital skimming or e-skimming techniques to steal customer data. The term “Magecart” is a portmanteau of the words “Magento” (a popular open-source ecommerce software platform) and “shopping cart,” is a type of e-skimming.
What is a Magecart Attack and How Does it Work?
A Magecart attack is a process in which malicious threat actors, state-sponsored hackers, or financially motivated attackers gain access to a company’s online store. Magecart or e-skimming attacks follow a simple three-step process to inject skimming code into payment card processing pages of the website in order to make financial gain.
- Step 1
- Attackers add malicious code with skimming functions to a third- or fourth-party script that is used by the target website.
- Step 2
- The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user enters into form fields. Examples of sensitive information include account credentials, payment card information, and billing information, such as home address and phone number.
- Step 3
- The information the user enters into form fields is sent to the threat actor’s command & control (C2) server for storage and later use.
There are quite a few attack vectors for Magecart or other client-side web skimming attacks. Here are the top four that security professionals should keep a close eye on.
The Top Four Skimming Attack Vectors
Javascript Libraries
Web applications that use third-party JavaScript code are vulnerable because JavaScript inherently lacks internal security management and oversight capabilities. As a result third-party code can have an unrestricted level of access to sensitive data at the browser level.
Sideloading and Chainloading of Code
Sideloading and chainloading techniques allow actors to load JavaScripts scripts with skimming-capable malware on target web pages. E-skimming breaches via sideloading can go undetected for a long time because infected code is loaded directly into the user session by web browsers while remaining outside of the web application firewall and other security perimeter controls.
Platform or Cloud-hosted Skimming
E-skimming code has been found hosted by popular cloud platforms including Salesforce Heroku and Amazon CloudFront CDN, as well as on misconfigured Amazon S3 buckets. Such code can inject backdoors for inserting malicious code into JavaScript libraries used by thousands of organizations.
Why Attack the Client-side with Skimming Attacks?
Not to date myself, but I believe Nelly said it best:
As described above, skimming attacks are easy to execute. With current security tools, even the best security teams are unaware of malicious JavaScript code and the majority of client-side attacks. By skimming user data from the client-side, threat actors can quickly make financial gain, either immediately by using stolen information, like credit card numbers, or by selling information on the dark web.
How Much Does Customer Data Cost on the Dark Web?
While prices fluctuate and depend on many variables, the following summary offers an overview of dark web commercial models and the monetization of stolen data:
Credit Cards
- $1,000 – for a credit card with a $15,000 limit
- $800 – for a credit card with a $10,000 limit
- $450 – for a credit card with a $5,000 limit
- $45 – for an average (untested) credit card
Digital Account Credentials
- $20-$200 – Online payment ID (PayPal, etc)
- $20 – Loyalty Accounts
- $1-$10 – Online Subscription Services (e.g. Netflix, Disney+, etc.)
Other PII
- $1,000 – $2,000 – Passports
- $20 – Drivers Licence
- $1 – Average price of US Social Security Number
Why are Magecart Skimming Breaches Becoming More Frequent?
In order to operate and grow a business, organizations need websites. In this day and age, if you do not have a website, you are extremely restricted in your sales opportunities. In addition, with the COVID-19 pandemic and the continuing shift to online shopping, if customers can’t complete digital transactions with you, it is unlikely that they will do business with you. It’s now the norm for businesses to have login pages, e-commerce pages, shopping carts, and other web applications to make it easy for customers to consume their products and services.
To the vast majority of people shopping on the web (a.k.a. the majority of our population) conducting online business is relatively easy and safe.
However, the reality is somewhat different.
Today, websites and web applications are assembled by third-party scripts and code libraries to implement business-driven functionalities and features such as analytics, marketing retargeting ads, live chats, forms, or shopping carts. Modern web developers use third-party scripts to speed up application and website development since building websites and web apps from scratch is cost prohibitive. The problem with third- or fourth-party scripts is that they are built by developers of varying capability levels and a lot of the time are built without security in mind. So many third-party scripts leave organizations vulnerable to skimming attacks.
Skimming of data takes place directly on the visitor’s browser, which is outside the organization’s security perimeter, and outside of the purview of the security team. The majority of security operations technologies including data loss prevention (DLP) systems, code scanning, and web application firewalls are completely blind to skimming breaches.
The majority of skimming attacks are discovered weeks or even months after the damage has been done. Businesses that are victims of a skimming attack generally have no visibility across all of their client-side web assets, and end up having to clean-up a bitter mess caused by a client-side security incident, of which the post-breach costs can reach hundreds of millions of dollars.
What Can I Do to Protect My Business and My Customers?
Regardless if you are a marketer, a customer service professional, a security professional, or an application developer, you are responsible for protecting your most critical assets—your customers. In order to grow your business and avoid costly data breaches, it’s your responsibility to prevent Magecart and other skimming attacks, and the associated data exfiltration. The dangers that come through the client side are significant, as are the historic challenges to defeat them—complexity, a lack of visibility, and an inability to uncover, remediate, and prevent client-side security threats. But with knowledge of what is needed, it can be done and not just said.
To learn how to detect and prevent skimming attacks, please download our white paper.
FAQ
What is a Magecart attack and how does it work?
Magecart refers to a set of techniques used by threat actors to inject malicious JavaScript into web pages—often through third-party scripts—to skim sensitive information like credit card data as users interact with a site.
Why are Magecart attacks hard to detect?
They exploit client-side vulnerabilities, meaning the malicious activity occurs in the user’s browser. Traditional security tools focus on server-side defenses and rarely monitor what happens after a page loads.
What industries are most targeted by Magecart groups?
Ecommerce, SaaS platforms, healthcare, and finance—any site that processes personal or payment data—is a top target due to the high value of stolen information.
How do Magecart attacks affect PCI DSS compliance?
They violate PCI DSS requirements (especially 6.4.3 and 11.6.1) by enabling unauthorized script changes and unmonitored browser-side activity. Organizations without client-side controls risk non-compliance and breach penalties.
How can Feroot help prevent Magecart attacks?
Feroot monitors and controls JavaScript behavior in real time, detects unauthorized script activity, and maps threats to compliance requirements. It closes the visibility gap left by legacy tools.
