Analysis of a recent Magecart campaign

 On 13 March, SanSec disclosed a new Magecart domain used to host malicious JavaScript (.js) files that can collect credit card information from ecommerce site checkout pages. The site (jquerycdn[.]at) that hosted the scripts was present on at least 299 different victim stores. The most commonly attacked platform is Magento 1 ecommerce platform. Notably, support for Magento 1 ended on 30 June 2020, meaning that it will no longer receive security updates.

How does the web skimmer work?

“Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” - SanSec. 

In this blog, I analysed the JavaScript Skimmers connected to jquerycdn[.]at in an ongoing campaign





Search for the presence of the jquery.storageapi.min.js Skimmer on sites via URLscan here.



Search for the presence of the jquery.bah-hashchange.min.js Skimmer on sites via URLscan here.

These JavaScript Skimmers use the function 'GetCCInfo' to collect the online shopper's credit card number, CVV number, card holder first and last name, smd the expiration date. The 'SaveParam' function collects the firstname, lastname, home address, and telephone number. All the data is then encoded with base64 and exfiltrated to jquerycdn[.]at/gate.php.

Although this campaign was detected back in March 2020, the site remains online and is hosted with AS47510 [Crex Fex Pex ISS, RU]. Additionally it appears the JS Skimmer continues to be injected onto ecommerce site’s checkout pages:

Indicators of Compromise (IOCs):








My Previous Blog titled “Deep-dive: The Magecart Collective” can be found here.

I want to extend my gratitude to @0xDISREL for helping me with research into these attacks. They provided useful insights into analysis of the JavaScript code. Give them a follow!

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks