New Magecart Attack Injects Malicious JavaScript to Skim Payment Data
A new Magecart-style campaign has emerged, targeting online shoppers through malicious JavaScript code designed to steal payment information directly from e-commerce websites. This attack involves injecting hidden scripts into compromised shopping sites, allowing attackers to intercept sensitive data when customers enter their credit card details during checkout.
Magecart attacks have evolved over several years, with cybercriminals continuously refining their methods to avoid detection. The latest variant demonstrates sophisticated obfuscation techniques, making it harder for security teams to identify and block the malicious code before it damages customer trust and business operations.
Security analyst Himanshu Anand identified this particular campaign through open-source threat intelligence. He traced the attack back to a primary domain, cc-analytics.com, which was hosting the malicious JavaScript file. The discovery revealed a coordinated effort by threat actors to deploy similar payloads across multiple e-commerce platforms, suggesting a widespread campaign affecting numerous online businesses and their customers.
The stolen data is sent to attacker-controlled servers, where criminals harvest the payment information for resale or fraudulent use. This campaign shows how attackers exploit trusted e-commerce environments to target customers at their most vulnerable moment—when making an online purchase.
How the Attack Infection Mechanism Works
The malicious JavaScript operates through a multi-stage process that remains hidden from customers and website administrators. When an unsuspecting shopper visits a compromised e-commerce site, the attacker’s code quietly loads in the background through a simple script tag injected into the webpage’s HTML code.
Once active, the script targets specific form fields where customers enter sensitive information. It hooks into checkout buttons and payment form elements, monitoring user activity for signs of payment data entry. When a customer types their credit card number and billing address, the JavaScript captures this information in real-time before the legitimate payment gateway even receives it.
The theft happens instantly through an automated data exfiltration function. The captured payment details are bundled into a request and sent to attacker infrastructure, specifically to domains like pstatics.com. By the time a customer completes their purchase, their credit card information has already been harvested and sent to the criminals behind the campaign.
What makes this attack particularly dangerous is its invisibility. The JavaScript runs silently without triggering browser security warnings or leaving obvious signs of compromise. The obfuscation techniques used render the code unreadable to automated security tools, enabling it to persist on compromised websites for extended periods while continuously stealing data from unsuspecting customers.
