A new Magecart-style campaign is actively targeting e-commerce websites by injecting malicious JavaScript that intercepts and exfiltrates payment card data during checkout.
The malicious script was hosted at cc-analytics[.]com/app.js and discovered on compromised e-commerce sites through script injection.
The code employs heavy obfuscation using hex encoding and base conversion functions to evade detection.
Security researchers deobfuscated the payload using debugger methods and Python string analysis, revealing the true intent: harvesting sensitive payment information.
The decompiled code demonstrates how the attack works. Event listeners are placed on checkout input fields and payment method buttons.
When users enter credit card numbers or billing information, the JavaScript collects these values and transmits them to attacker-controlled servers at pstatics[.]com via XMLHttpRequest POST requests.
The discovery, initially shared on X by SDCyber Research, reveals a sophisticated operation utilizing obfuscated code and distributed infrastructure across multiple domains.
The data exfiltration only occurs when card numbers exceed 14 characters, suggesting the attackers implemented basic validation to avoid capturing incomplete or test data.
Infrastructure Discovery
Pivoting on the initial domain through URLScan revealed a broader attack infrastructure. The malicious script appeared on multiple compromised websites, injected via tags in the DOM.
By analyzing transaction logs, researchers identified the hosting IP address as 45.61.136.141, which led to discovering additional malicious domains following similar naming patterns: jgetjs.com, getnjs.com, getvjs.com, getejs.com, and utilanalytics.com.
Analysis of hosted JavaScript payloads across these domains showed nearly identical code, indicating infrastructure reuse across multiple attack campaigns. This pattern suggests a coordinated threat group or shared tooling among various actors.
A comprehensive pivot uncovered an expanded domain portfolio potentially linked to this campaign.
This includes domains masquerading as legitimate services (youtuber-dashboardwme.pro), infrastructure naming conventions referencing the hosting IP (45-61-136-141.cprapid.com), and nameserver patterns across multiple suspicious domains.
The complete list encompasses 30+ domains, though researchers emphasize the importance of validation before implementing blocking rules, as some may be false positives or sinkholed domains.
Detection and Response
The attack highlights the effectiveness of simple reconnaissance techniques. Free tools like URLScan, publicWWW, and WHOIS queries proved sufficient to map attacker infrastructure and identify patterns.
Organizations can detect similar injections by monitoring for unexpected script tags in checkout pages, analyzing network requests during payment processing, and searching public data sources for mentions of their domain names.
This Magecart variant demonstrates that payment data theft remains highly profitable for cybercriminals.
The campaign’s longevity at least one year of activity combined with infrastructure reuse suggests operational sustainability.
The threat underscores the importance of e-commerce security, including content security policies, script integrity verification, and payment form isolation.
Defenders should prioritize identifying injected scripts on checkout pages, monitor for suspicious POST requests to external domains, and implement subresource integrity checks.
The investigation illustrates how public signals, when properly correlated, reveal entire attack campaigns a reminder that threat hunting remains accessible to organizations with basic security tools and analytical discipline.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.