You need to protect your website against Magecart now — these attacks will show you why

You need to protect your website against Magecart now — these attacks will show you why

Can you name the biggest threat to your website or web app’s security? If you guessed “JavaScript”, you would be correct. A recent analysis of more than 133,000 websites found 37 percent had at least one JavaScript vulnerability, and another study found that more than 80 percent of websites are susceptible to infiltration from a malicious script.

As server-side data security improves, cybercriminals have shifted their focus to the browser. After compromising a third-party script, hackers can inject a skimmer into a website in order to scrape credit card numbers and other personal data entered into HTML forms by website visitors. Their malicious JavaScript is largely invisible to server-side security and obfuscated to avoid easy detection during audits. These skimmers persist on average for 12.7 days before they are discovered.

Many organizations don’t realize that leveraging code from outside companies affords that code the same level of access to data and cookies on visitors’ browsers as your trusted first-party code. The services you use to provide live chat, gather analytics, or serve retargeting ads can also display messages to users, record sensitive data, and even redirect customer data to other servers. 

The biggest name right now in third-party JavaScript attacks is Magecart. The name derives from hacking groups whose early exploits targeted websites with unpatched Magento installations. Since those early days, Magecart has unleashed more than 6,400 skimming attacks. Successful targets include British Airways, NewEgg, and Ticketmaster. 

Here are some of the biggest Magecart attacks from over the last year:

British Airways, Ticketmaster, Newegg, and more

After compromising an ad retargeting script from Adverline, Magecart infiltrated hundreds of eCommerce sites and stole data from thousands of unsuspecting customers. This included major players, including, but not limited to, British Airways, Ticketmaster, Newegg, and OXO.

In the case of British Airways, Magecart hackers used legitimate SSL certificates and domain names that were similar to BA’s website domain in order to hide the breach. The attack only last 15 days, but resulted in sensitive transaction data being stolen from 500,000 customers. As a result, British Airways was slapped with a $230 million fine by the UK’s privacy authority for failing to protect its customers’ data.  

What British Airways teaches us about web skimming attacks and avoiding GDPR finesRelated Webinar

Quest Diagnostics

Magecart breached the American Medical Collection Agency, a third-party collections vendor for Quest Diagnostics. The attack began in August 2018 and was uncovered in March 2019. The hackers scraped credit card information, personal data, and medical information for nearly 12 million patients.

My Pillow 

It’s not uncommon for a company to detect and remove a Magecart infiltration only to become reinfected within a few days. Bedding retailer faced this exact problem.

The first attack used a skimming script that loaded from a domain name which looked very similar — which used a “t” instead of an “i” in the domain name — the hackers even went so far as to obtain an SSL certificate for this domain. When the initial attack was discovered, the hackers changed tactics.

The second time, Magecart used a domain called, a riff on the live chat application used by MyPillow. The hackers proxied the standard script used by LiveChat and appended their skimming code below it. 

Campus online stores 

The checkout pages for more than two hundred college campuses in the United States and Canada were also infiltrated by Magecart. The criminals mimicked a Google Analytics script to hide their skimming code. They determined that unauthorized parties installed malicious software with the intention of capturing eCommerce customer information. 


Consumers who visited to sign up for a subscription earlier this year had their name, address, credit card details, and email stolen by Magecart. In this case, attackers enabled two-way communication over web sockets — while this attack focused on data exfiltration, it could have potentially led to command and control situations. 

Shield your website against third-party vulnerabilities with Instart

Bedding, books, magazines - these businesses don’t have much in common besides their (unprotected) use of JavaScript. Fifty percent of the content served by an average website comes from a third party, and it’s not uncommon for a website to utilize code by 50 different companies.

Because third-party scripts don’t go through internal security protocols and infrastructure, many websites are easy targets. Hackers count on companies being reactive rather than proactive.

Attack guide: How Magecart skimming attacks workRelated Solution brief

The good news is, preventative measures exist. As Peter Blum, Instart VP of Technology explained in an interview with TechRepublic:

The best defense against Magecart attacks is preventing access. Online companies need a solution that intercepts all of the API calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information customers enter on your website.

This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information. It's critical that brands think beyond the edge and deploy end-to-end web security protection that can mitigate Magecart attacks in the browser and protect backend infrastructure.

Instart Web Skimming Protection provides deep browser-level controls to protect form fields and cookies from unauthorized third-party access. With Instart, you’ll be able to see if and when third-party scripts are loaded, what data they can access, and receive alerts when a script diverts from expected behavior. Thousands of websites are vulnerable to a Magecart attack, ensure yours isn’t one of them.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo