Magecart strikes more than 2 million websites as more groups get involved

Scammers seem only to be accelerating their attacks as attention grows.
(Getty Images)

Digital scammers have included malicious Magecart code on more than 2 million websites, according to new research that demonstrates how hackers exploit seemingly trivial website vulnerabilities to easily steal customer payment information.

Magecart” is an umbrella term that applies to hacks in which outsiders inject specific, malicious JavaScript code onto e-commerce websites to collect shoppers’ payment information. It’s a subtle fraud technique that RiskIQ has detected on 2,086,529 sites, the security company said in a report published Friday. Notable victims have included British Airways and Ticketmaster, though the number of organizations affected continues to grow because hackers now are leveraging cloud servers and other hard-to-detect methods to steal data.

The average Magecart infection lasts for 22 days, RiskIQ said. The company did not disclose which sites were included in the 2 million hit, saying only that the list included sites in Alexa’s ranking of the top 2,000 pages online.

Meanwhile, advanced cybercriminal groups also may be trying to use Magecart techniques for their own gain. Magecart Group 4, one of more than a dozen Magecart groups, is registering websites with email addresses that are connected to identities used by the Cobalt Group, a financial crime syndicate that’s haunted European banks for years, according to the security vendor Malwarebytes. Researchers there determined that one email address,, was used to register 23 domains, as well as a fraudulent Oracle business domain that later was associated with a Magecart campaign.


Those findings, released Thursday, said “it is highly unlikely that this naming convention would be known to any other actor besides those who registered both the Cobalt Group and Magecart infrastructure.” A closer inspection revealed that 10 of the separate email addresses rsused the same two IP addresses “even over weeks and months between registrations.”

The research from RiskIQ and Malwarebytes is distinct but, when combined, demonstrates how payment scammers continue to proliferate despite ongoing focus on their tactics. RiskIQ previously reported that hackers had infiltrated more than 17,000 websites by scanning the web for vulnerable Amazon Web Services S3 buckets, a digital storage repository, then collecting financial information kept inside.

Before that, in July, the U.K. Information Commissioner’s Office said it would fine British Airways the equivalent of $229 million under the General Data Protection Regulation (GDPR) for security weaknesses that made a Magecart attack against the airline possible. In that case, hackers stole data about roughly 500,000 customers. British Airways has said it will appeal the fine.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts