A sophisticated and expansive Magecart campaign has been uncovered, marking a dangerous evolution in client-side attacks.
Security researchers have identified a global operation utilizing over 50 distinct malicious scripts to hijack checkout and account creation flows across dozens of e-commerce platforms.
Unlike traditional skimming attacks that “listen” for data, this campaign actively manipulates the user experience with modular, localized payloads designed to bypass modern security controls.
The campaign stands out for its high degree of customization. The attackers have developed specific payloads for a wide range of payment gateways, including Stripe, Mollie, PagSeguro, OnePay, and PayPal.
Instead of a one-size-fits-all skimmer, the malware detects the payment processor in use and deploys a matching “fake” payment form.
For instance, code analysis reveals a function explicitly designed to block legitimate Stripe iframes (blockStripe()), preventing the secure payment window from loading.
In its place, the malware injects a visually identical phishing iframe that captures sensitive data before it is encrypted by the payment provider.
Advanced Anti-Forensics and Evasion
The operators behind this campaign have integrated significant anti-forensics capabilities to evade detection by security scanners and researchers.
Most alarmingly, this campaign signals a strategic shift from simple credit card theft to full identity compromise.
In some documented instances, attackers have used stolen credentials to create rogue administrator accounts within the victim’s e-commerce CMS, ensuring they retain access even if the initial injection vulnerability is patched.
The scripts are designed to harvest not just payment data, but also login credentials, personal identifiable information (PII), and account recovery details.
This data aggregation enables Account Takeover (ATO) attacks and allows threat actors to establish long-term persistence.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.