Magecart and Card Skimming Attacks on E-Commerce: How Attackers Steal Payment Data
Magecart is the name given to a collection of criminal groups that specialise in injecting malicious JavaScript into e-commerce websites to steal payment card details as customers enter them at checkout. Unlike database breaches where attackers steal stored card data, Magecart attacks capture card details in real time — including the CVV code that is never stored. The British Airways breach (2018, £20 million ICO fine) and the Ticketmaster breach (2018) were both Magecart attacks. In 2023, Magecart attacks affected thousands of e-commerce sites simultaneously through compromised third-party shopping cart plugins.
Over 4,000 UK e-commerce websites are estimated to be infected with card skimming malware at any given time — the majority are small retailers who are unaware of the compromise.
How Magecart Attacks Work Against Retailers
Magecart attacks exploit the fact that modern e-commerce sites load JavaScript from dozens of third-party sources — payment plugins, analytics tools, chat widgets, and marketing scripts. Attackers compromise one of these third-party scripts (or the e-commerce platform itself) and inject a few lines of additional JavaScript code. This code silently copies everything the customer types into the checkout form — card number, expiry date, CVV, billing address — and sends it to an attacker-controlled server. Because the malicious code executes in the customer's browser alongside legitimate scripts, it is completely invisible to the retailer. Magecart infections often persist for months before detection.
Protecting Your E-Commerce Site from Magecart
Defending against Magecart requires multiple controls: Content Security Policy (CSP) headers that restrict which JavaScript sources are permitted to execute on your site — the most effective technical control against script injection; Sub-Resource Integrity (SRI) hashes for all third-party scripts that prevent unauthorised modification; regular file integrity monitoring on your e-commerce platform to detect changes to checkout-related files; monitoring of outbound network connections from your site to detect data being sent to unexpected destinations; and a formal process for vetting and reviewing third-party plugins and scripts before deployment. Retailers using hosted payment pages (where the card entry occurs on the payment processor's own page) are largely protected from Magecart — the attack requires access to the cardholder data entry point.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.