Sophisticated Magecart Campaign Targets E-Commerce Sites Across 12 Countries for Over Two Years
A large-scale Magecart operation has been active since at least early 2024, compromising 17 WooCommerce websites across 12 countries, including the UK, Denmark, France, Spain, and the U.S. Security researchers at ANY.RUN uncovered the campaign, which has persisted undetected for over 24 months, leveraging more than 100 malicious domains to steal payment card data in real time.
The attack primarily exploits the Redsys payment ecosystem, with a notable concentration of victims in Spain. While e-commerce merchants serve as the initial entry point, the financial impact disproportionately affects banks and cardholders, as stolen data fuels downstream fraud and erodes trust in digital payments.
How the Attack Works
The campaign employs a multi-stage infection chain designed to evade detection:
- Initial Compromise – Attackers inject an obfuscated JavaScript loader into a WooCommerce site’s existing scripts.
- Dynamic Payload Retrieval – The loader fetches a JSON-encoded configuration from external domains, cycling through backup domains if primary ones are blocked.
- Fake Payment Overlay – The malicious script replaces or overlays legitimate payment forms with convincing fakes, mimicking trusted providers like Redsys and PayPlug SAS in multiple languages (English, Spanish, Arabic, French).
- Data Exfiltration via WebSockets – Stolen card details (BIN, full number, CVV, expiration) are transmitted via encrypted WebSocket channels, bypassing traditional HTTP-based monitoring.
- Mobile Attack Vector – On mobile devices, the script prompts users to download malicious Android APKs under the guise of discounts, further expanding the attack surface.
Key Tactics & Infrastructure
- High-Fidelity Impersonation – Domains like jquerybootstrap[.]com and assetsbundle[.]com mimic legitimate services.
- Persistent Command & Control – Some C2 servers (e.g., redsysgate[.]com) masquerade as trusted payment domains.
- Global Targeting – The campaign’s localized fake payment forms and APK prompts indicate a deliberate, organized effort rather than opportunistic skimming.
Impact & Defensive Priorities
The operation reflects a shift in Magecart tactics from quick, opportunistic attacks to long-term, infrastructure-driven campaigns with real-time control. Financial institutions face increased fraud losses, while security teams must prioritize:
- Monitoring WebSocket traffic from checkout pages.
- Enforcing strict Content Security Policies (CSP).
- Implementing JavaScript file integrity checks.
- Conducting regular third-party script audits.
The campaign underscores the evolving sophistication of digital skimming threats, with attackers investing in resilient infrastructure to sustain operations despite takedowns.
Source: https://cybersecuritynews.com/magecart-hijack-estore-checkouts/
Redsys Servicios de Procesamiento cybersecurity rating report: https://www.rankiteo.com/company/redsys-espa-a
WooCommerce cybersecurity rating report: https://www.rankiteo.com/company/woocommerce
"id": "REDWOO1775067906",
"linkid": "redsys-espa-a, woocommerce",
"type": "Cyber Attack",
"date": "2/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Retail/E-commerce',
'location': ['UK',
'Denmark',
'France',
'Spain',
'U.S.',
'Other (12 countries total)'],
'type': 'E-commerce merchants (WooCommerce)'},
{'customers_affected': 'Cardholders',
'industry': 'Finance',
'location': ['Global (primarily Spain)'],
'type': 'Banks and financial institutions'}],
'attack_vector': ['Obfuscated JavaScript injection',
'Fake payment overlays',
'WebSocket-based data exfiltration',
'Malicious Android APKs'],
'data_breach': {'data_exfiltration': 'Yes (via WebSocket channels)',
'personally_identifiable_information': 'Payment card details',
'sensitivity_of_data': 'High (BIN, full card number, CVV, '
'expiration)',
'type_of_data_compromised': 'Payment card data'},
'date_detected': '2024',
'description': 'A large-scale Magecart operation has been active since at '
'least early 2024, compromising 17 WooCommerce websites across '
'12 countries, including the UK, Denmark, France, Spain, and '
'the U.S. The campaign leverages over 100 malicious domains to '
'steal payment card data in real time, primarily exploiting '
'the Redsys payment ecosystem. The attack employs a '
'multi-stage infection chain, including obfuscated JavaScript '
'loaders, dynamic payload retrieval, fake payment overlays, '
'and data exfiltration via WebSockets. The campaign reflects a '
'shift to long-term, infrastructure-driven operations with '
'localized fake payment forms and malicious APK prompts for '
'mobile users.',
'impact': {'brand_reputation_impact': 'Erosion of trust in affected '
'e-commerce sites',
'data_compromised': 'Payment card details (BIN, full number, CVV, '
'expiration)',
'financial_loss': 'Increased fraud losses for banks and '
'cardholders',
'identity_theft_risk': 'High (payment card data exposed)',
'operational_impact': 'Erosion of trust in digital payments',
'payment_information_risk': 'High (full card details stolen)',
'systems_affected': '17 WooCommerce websites'},
'initial_access_broker': {'entry_point': 'WooCommerce websites'},
'lessons_learned': 'The campaign underscores the evolving sophistication of '
'digital skimming threats, with attackers investing in '
'resilient infrastructure to sustain operations despite '
'takedowns. Magecart tactics are shifting from '
'opportunistic attacks to long-term, infrastructure-driven '
'campaigns with real-time control.',
'motivation': ['Financial gain', 'Payment card data theft'],
'post_incident_analysis': {'corrective_actions': ['Monitor WebSocket traffic',
'Enforce CSP',
'Implement JavaScript '
'integrity checks',
'Audit third-party scripts'],
'root_causes': 'Exploitation of WooCommerce '
'vulnerabilities, third-party '
'script injection, lack of strict '
'CSP enforcement'},
'recommendations': ['Monitor WebSocket traffic from checkout pages',
'Enforce strict Content Security Policies (CSP)',
'Implement JavaScript file integrity checks',
'Conduct regular third-party script audits'],
'references': [{'source': 'ANY.RUN'}],
'response': {'remediation_measures': ['Monitor WebSocket traffic from '
'checkout pages',
'Enforce strict Content Security '
'Policies (CSP)',
'Implement JavaScript file integrity '
'checks',
'Conduct regular third-party script '
'audits'],
'third_party_assistance': 'ANY.RUN (security researchers)'},
'title': 'Sophisticated Magecart Campaign Targets E-Commerce Sites Across 12 '
'Countries for Over Two Years',
'type': 'Magecart (Digital Skimming)',
'vulnerability_exploited': 'WooCommerce website vulnerabilities, third-party '
'script injection'}