IE 11 is not supported. For an optimal experience visit our site on another browser.

What is Magecart? Credit card-stealing malware proves hard to stop

In 2018, multiple large-scale online retailers like Ticketmaster and British Airways revealed that their sites were breached by Magecart hackers.
Illustration of a mysterious figure peaking out from behind a buy now button
Tim Lahan / for NBC News

Credit card-stealing software that has been infecting e-commerce sites since 2014 remains hard to stop, with a variety of hacking groups now using variations of the code, according to security experts.

The attacks have become so common and consistent that information security professionals have given it a name: Magecart.

Magecart refers to cyberattacks in which hackers implant malicious computer code into websites and third-party suppliers of digital systems to steal credit card info as people enter it at a checkout page. While the digital theft of credit car info, known as skimming, is not new, attacks on payment pages and smaller companies represent a persistent threat that has proven so successful that it has spawned its own small cottage industry.

In 2018, multiple large-scale online retailers revealed that their sites were infected by Magecart hackers, including Ticketmaster, British Airways, electronics retailer Newegg and Sotheby’s.

Matthew Meltzer, a researcher at cybersecurity firm Volexity, said that digital card skimming is attractive to hackers because of the crime’s simplicity and high chance of reward.

“Other attacks rely on social engineering, the installation of malware, or the direct compromise of databases containing sensitive information.” Meltzer said. “One of the reasons why digital credit card skimmers have grown in popularity is likely due to the ease of this attack methodology as well as its success rate in comparison to others.”

Magecart’s success is partly due to that fact that it is nearly impossible for the consumer to detect, according to Candid Wueest, a security researcher at Symantec, which recently announced that it had blocked more than 1 million attempts to implant digital card skimmers on more than 10,000 unique websites in the past three months.

Skimming often happens when people enter their credit card information during the transaction phase. Wueest said consumers have no way to be aware of the theft.

“You will have basically no chance by naked eye,” Wueest said.

Though Magecart’s notoriety grew in 2018 as a result of the string of high-profile targets, instances of Magecart-linked cyber card skimming have been traced back to 2014, according to Yonathan Klijnsma, head researcher at RiskIQ, a cybersecurity firm.

And the amount of skimming activity has only been growing over the years. Klijnsma said that web-based credit card skimming has turned into a small black-market industry of its own. RiskIQ researchers were able to track the type of code used by skimmers and found that it went up for sale in dark web forums in 2016. That led to an increase in groups buying and selling the building blocks of code to execute Magecart attacks.

Klijnsma said they have found six groups selling various code skimming "kits," while other Magecart groups build their own, with a total of 11 different groups using some form of the code to skim credit card info.

And though he could not estimate how many credit card numbers had been stolen, Klijnsma said it was his opinion that skimmers had collected far more credit cards than were taken in high-profile data breaches including those of Home Depot and Target.

“It's just the new way of card breaching,” Klijnsma said.

Magecart groups can attempt to implant skimming code directly onto e-commerce websites, known as formjacking, or they can target smaller companies that provide services to larger companies, which is how hackers accessed Ticketmaster’s checkout page in June, a strategy known as supply-chain hacking.

Symantec reported that it had seen formjacking attempts more than double from August to September.

As awareness of the Magecart threat grows among researchers, retailers and consumers, "the attackers are noticing,” Meltzer said.

“They are incorporating new techniques into scripts used to sabotage compromised e-commerce sites," he said. "This includes new obfuscation techniques, the use of encryption, and even code to sabotage other credit card skimmers, which may be operating on these compromised sites.”

With newfound knowledge, the threat is continuing to increase as hackers looked toward an influx in online shopping at the end of the year. According to Symantec, there is “a clear upward trend visible as we approach the holiday shopping season.”