If you’ve recently used a credit card to shop online, you may have been the target of a massive, hidden cyberattack. Security researchers at Silent Push have identified an extensive network of malicious domains dedicated to Magecart, a term used to describe a specific type of online credit card theft and the various groups that carry it out.
In a report shared with Hackread.com, the team revealed that this specific campaign has been operating secretly since at least January 2022, and the scope of the attack is disturbingly wide, targeting customers using nearly every major payment network, including Mastercard, American Express, Discover, Diners Club, JCB, and UnionPay.
A Trap Hidden in Plain Sight
What makes this network so dangerous is its ability to blend in. The attackers host their scripts on domains that sound harmless. Such as a particular site cdn-cookie.com was found on servers belonging to PQ.Hosting (aka Stark Industries), a company currently facing European sanctions.
According to Silent Push researchers, the code is smart enough to hide from the people who actually run the stores. If the script detects a WordPress Admin Bar, which is the toolbar that appears when a site owner is logged in, it instantly deletes itself to avoid being caught.
“This is done to evade the prying eyes of website administrators, increasing the chance of the malware’s survival,” researchers noted in the blog post published on 13 January, 2026.
The Double-Entry Trick
The core of this scam is based on psychological deception. When a regular shopper goes to pay, the malware hides the real payment box and replaces it with a fake one that looks identical. It even recognises which card you are using, such as if you type a Mastercard number, a small Mastercard logo pops up to make the form look official.
Once you click ‘Place Order,’ the hackers grab your name, address, and card digits. To keep you from getting suspicious, the script quickly brings back the real payment form and shows an error message. Most people assume they just made a typo, re-enter their info into the real form, and the sale goes through. As we know it, you get your package, but the thieves already have your data.
How to Protect Yourself
It is worth noting that because this happens inside your own web browser, it is nearly impossible for a normal user to see. However, there are small red flags, like if a site suddenly asks you to re-enter your payment info after an odd error, or if the form looks slightly different the second time, it could be a sign of a skimmer.
Silent Push suggests that store owners must stay one step ahead by strictly controlling what scripts are allowed to run on their pages. For the rest of us, keeping a close eye on bank statements remains the best defence against these invisible skimmers.