A sophisticated Magecart campaign has been uncovered operating undetected for over two years, compromising e-commerce platforms across at least 12 countries and leveraging more than 100 malicious domains to steal payment card data in real time. Security researchers at ANY.RUN revealed that the campaign, active since early 2024, primarily targeted WooCommerce websites, with 17 confirmed infections identified between February 2024 and April 2025.
The scale and persistence of the operation indicate a highly organized cybercriminal effort rather than opportunistic attacks. While merchants serve as the initial entry point, the financial impact is largely absorbed by banks and cardholders, as stolen payment data fuels downstream fraud and erodes trust in digital transactions.
The campaign has affected businesses in regions including the United Kingdom, Denmark, France, Spain, and the United States. Spain emerged as a significant hotspot due to the attackers’ strategic abuse of the widely used Redsys payment ecosystem, enabling highly convincing payment fraud scenarios.
The attack chain is designed with multiple layers to evade detection and ensure longevity. Once attackers gain access to a WooCommerce site, they inject an obfuscated JavaScript loader into existing site scripts. This loader does not directly steal data; instead, it silently connects to external infrastructure to retrieve additional malicious payloads, encoded in a way that makes analysis difficult.
To maintain resilience, the loader includes a fallback mechanism that cycles through multiple backup domains if primary servers are blocked or taken offline. This redundancy has allowed the campaign to remain active despite partial takedowns, contributing to its extended lifespan.
The second-stage payload is delivered through domains disguised as legitimate services, including fake content delivery networks and JavaScript libraries. Once activated, the malicious script waits for users to reach the checkout page, where it seamlessly replaces or overlays the legitimate payment interface with a highly convincing replica.
A key strength of the campaign lies in its ability to impersonate trusted payment providers. One prominent variant mimics Redsys, integrating legitimate domain references to enhance credibility. Other versions replicate PayPlug SAS interfaces, with multilingual support in English, Spanish, Arabic, and French, highlighting a deliberate and globally targeted approach.
When users enter their payment details, the data – including card number, expiration date, and CVV – is exfiltrated via encrypted WebSocket connections rather than traditional HTTP requests. This technique allows attackers to bypass many conventional security monitoring tools, which often focus on standard web traffic.
In an advanced evolution of the threat, the campaign also introduces a mobile attack vector. Users accessing compromised websites on mobile devices are prompted to download Android applications disguised as promotional offers. These apps require enabling installations from unknown sources, significantly increasing the risk of further compromise.
The findings underscore a broader shift in Magecart tactics, moving from short-term skimming attacks to persistent, infrastructure-heavy operations with real-time command-and-control capabilities. This evolution makes detection more challenging and increases the potential scale of financial damage.
Security teams are being urged to strengthen defenses by monitoring WebSocket traffic from checkout pages, enforcing strict Content Security Policies, and implementing integrity checks for JavaScript files. Regular audits of third-party scripts are also critical in identifying hidden threats within web environments.
For financial institutions, enhanced fraud detection mechanisms and proactive threat intelligence sharing remain essential to mitigate the long-term impact of such campaigns. As these attacks continue to evolve, collaboration between merchants, security teams, and banks will be key to defending against increasingly sophisticated payment fraud operations.
Recommended Cyber Technology News :
- Mastercard Introduces First-Ever Threat Intelligence Solution to Combat Payment Fraud at Scale
- Nacha Names Abrigo as Preferred Partner for ACH Fraud Prevention
- EclecticIQ 3.7 Enhances Cyber Threat Intelligence
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
