Linkedin Tag

Back to blog

The biggest Magecart attacks in history (so far)

Thursday, October 17th, 2024

Carlo D'Agnolo's profile picture

Carlo D'Agnolo

Marketing & Growth

Where the term “Magecart” comes from from

Magecart attacks are a type of cyberattack where hackers inject malicious JavaScript code, often referred to as "skimming" scripts, into websites. This can be any type of website, but when talking Magecart, it’s almost exclusively e-commerce sites to try and capture credit card details.

The term "Magecart" originates from the combination of "Magento," a popular open-source e-commerce platform, and "cart," referring to the shopping cart feature on these websites. The initial wave of attacks were targeting Magento-based websites, leading to the coinage of the term.

These types of attacks fall under the umbrella term of “client-side attacks” and “web supply chain attacks” too.

Evolution into a Generic Term

Over time, "Magecart" itself evolved from referring to a specific group of hackers into an umbrella term used to describe a broader style of attacks:

  1. Copy cats: As the original Magecart group’s methods proved effective, other cybercriminal groups adopted similar techniques.

  2. Expanding: While early Magecart attacks primarily focused on Magento sites, the scope has widened significantly. Attackers now target a variety of content management systems (CMS) and e-commerce platforms, such as WooCommerce, PrestaShop, Shopify, and custom-built websites.

  3. Always third-party scripts: Modern Magecart attacks often exploit vulnerabilities in third-party services integrated into websites, such as chat widgets, analytics scripts, or payment processors. This shift in tactics from targeting just the e-commerce platforms themselves to attacking the broader web ecosystem contributed to the term’s broader application.

  4. Increased public awareness: High-profile incidents involving major brands like British Airways, Ticketmaster, and Newegg brought significant media attention to Magecart attacks. Often articles mention the name as a callback, while not necessarily being a “Magecart” attack in the original sense of the word.

In general, when someone mentions Magecart, think digital skimming.

The biggest Magecart attacks thus far

Let’s keep in mind that these are the Magecart attacks we currently know about. It’s likely that there are many more happening right now. If we discover additional attacks, we will update this post.

We’ve ranked these broadly based on people impacted, financial implications, media coverage and reputational damage.

1. British Airways

This is often considered the largest and most high-profile Magecart attack. It’s also the one we most often quote. Partly, because we bought the domain used in that attack, baways.com (safe now), and told the full story of the attack there.

ScreenshotBaways.com-cside.dev.webp

While we wish we could say we had to go through some elaborate schemes in order to get that, we just bought it on a public registry. Read that story here.

In this attack, the domain was bought by the attackers and inserted into a tampered third-party script in order to stay under the radar for longer. After all, BAWAYS sounds like a legit British Airways domain.

But in other cases, expired or sold domains that feature in third-party scripts have a direct path to exploit many websites in one fell swoop. While not a Magecart attack, the recent Polyfill attack showed us why it’s important to secure your site against this.

The British Airways (BA) hack from September 2018, was quite a sophisticated Magecart attack that compromised the personal and financial information of around 380,000 people. The hackers exploited vulnerabilities in British Airways' online payment system by injecting malicious JavaScript code into the airline’s website and mobile app. This code was specifically designed to capture payment information in real-time as customers entered their details on the payment page

The stolen data included names, email addresses, and complete credit card details, including CVV codes, making it highly valuable for fraudulent activities. And, the attack went undetected for over two weeks, allowing the attackers ample time to collect sensitive customer information.

This breach had significant repercussions for British Airways, both financially and reputationally. The UK’s Information Commissioner’s Office (ICO) fined British Airways £20 million ($26 million) and the breach also led to widespread criticism of British Airways' cybersecurity practices.

2. Ticketmaster

This attack affected approximately 40,000 customers but was significant due to the involvement of a third-party service provider (Inbenta).

Again, the attackers injected malicious JavaScript code into this third-party widget, allowing them to siphon off customers' credit card details, names, addresses, and other sensitive information as transactions were processed on Ticketmaster’s site. The malicious code remained undetected for several months, during which the attackers harvested valuable customer data.

As a result, Ticketmaster faced criticism for failing to adequately vet its third-party partners and for the delay in detecting and responding to the breach.

In May of 2024 we experienced a bit of déjà vu when news broke of another Ticketmaster incident that bore a striking resemblance to the infamous 2018 data breach. 

This new incident was somewhat similar to the first, as Ticketmaster confirmed unauthorized activity within a third-party cloud database environment, claiming to have exposed the personal information of over 500 million customers. Here’s our full write up of this latest Ticketmaster breach.

3. Newegg

The Newegg hack is one of those classic Magecart attacks that people still talk about. This one was pretty sneaky and showed just how crafty attackers could be. Also in 2018, hackers managed to slip some malicious JavaScript code right into the checkout page of Newegg’s website. Their aim? You guessed it, to skim credit card information from customers as they made purchases. The attack also went unnoticed for over a month, which gave the attackers plenty of time to collect a good amount of sensitive data.

What made this attack particularly interesting was the way the hackers operated. They didn’t go after Newegg’s main site directly; instead, they mimicked Newegg's own payment processing script to make their malicious code blend in almost perfectly. It was a clever move that allowed them to fly under the radar for so long. The stolen data included everything from names and addresses to credit card numbers and CVV codes.

While Newegg’s response to the attack wasn’t as swift as some might have hoped, the incident certainly put the spotlight on the need for more vigilant security practices, especially around payment pages. It’s one of the reasons the updated PCI DSS 4.0 requirements include securing scripts on payment pages, read up on that if customers make payments on your site.

4. Multiple Magento sites

Instead of going after one big fish, the attackers went for quantity between 2020 and 2021, exploiting vulnerabilities in over 2,000 Magento e-commerce sites. The strategy was simple but effective: use known flaws in outdated Magento installations to inject skimming scripts into checkout pages and grab credit card info as unsuspecting customers made their purchases.

What's fascinating here is the sheer scope of this attack. It wasn't just about hitting a few sites; it was about leveraging a widespread vulnerability to impact a massive number of businesses at once.

This kind of attack is particularly concerning for small and medium-sized businesses, which often don’t have the same level of security as the big players. And for those still running older versions of Magento, this was a wake-up call.

One of the more recent and biggest Magento Magecart attacks happened to Segway in 2022. The attackers targeted vulnerabilities in the CMS itself or one of the plugins installed on the Segway site. After breaching that, they again added malicious JavaScript. Here, it appeared to display as the site’s copyright, but was actually used to load an external favicon.

Inside that favicon file, a malicious domain was placed which loaded external code to skim payment information from unsuspecting customers. Read our full article on that attack here.

5. Volusion

The Volusion hack in 2019-2020 is another Magecart attack that perfectly illustrates the dangers of supply chain vulnerabilities. This time, the attackers went after Volusion, an e-commerce platform provider that powers thousands of online stores.

By compromising Volusion's infrastructure itself, the hackers were able to inject their malicious JavaScript into a JavaScript file served to all websites using Volusion’s services. They didn’t have to target individual stores one by one, they just needed to slip in through the platform provider and they had access to the payment pages of all those stores in one fell swoop.

The impact was huge, affecting countless small and medium-sized businesses that relied on Volusion to run their e-commerce operations. Customers who shopped on these stores had their credit card details skimmed, which again included names, card numbers, expiration dates, and CVVs.

When your business is dependent on a service provider, their vulnerabilities become your vulnerabilities. 

What we learned about Magecart thus far

Let’s look at a few common themes in these biggest three Magecart attacks:

  • They always target third-party tools active on sites (most often third-party scripts).

  • The attacks always remain undetected for a while

  • They’re always after sites that regular people buying online

So if you run a site with those traits, alarm bells should be going off right now. You can use c/side to secure your third-party scripts and stop these attacks from happening.

More Magecart attacks

Let’s look at a few more notable Magecart attacks:

Warner Music Group

The Warner Music Group hack in 2020 was another notable Magecart-style attack that spanned several months, impacting multiple e-commerce sites associated with this major music label. Hackers injected malicious scripts into the checkout pages of Warner Music’s online stores, allowing them to skim payment information from customers buying merchandise and digital products.

Claire's and Icing websites

Claire's, the popular accessories and jewelry retailer, had a rough year in 2020 when it fell victim to not one, but two Magecart attacks. After initially being breached, the company thought it had the situation under control, but the attackers managed to reinfect their websites shortly after the first attack.

American Cancer Society

The American Cancer Society breach in 2019 hit particularly hard, and shows that not even nonprofits are safe from Magecart attacks. Any organization or website with information can, and will, be targeted.

The attackers injected malicious JavaScript code into the donation page of the organization's website, aiming to steal credit card information from donors.

Macy’s

Attacker managed to compromise the American department store’s online payment system, injecting malicious code to steal payment information directly from customers during the checkout process. While the number of affected customers was smaller compared to some of the other Magecart attacks, the timing was particularly impactful as it occurred during a significant sales period, right when shoppers were flocking to the site for deals.

Regal Cinemas

The Magecart attack on Regal Cinemas in 2022 brought the focus back to the entertainment sector, which, up until then, wasn’t commonly associated with such breaches. Attackers targeted Regal’s online ticketing platform, embedding malicious scripts to capture payment information from customers purchasing tickets. Quite similar to the Ticketmaster attack.

NutriBullet

NutriBullet, famous for its blenders and kitchen gadgets, found itself on the list of Magecart victims in early 2021. Hackers injected malicious JavaScript into the checkout page of NutriBullet’s website, skimming credit card details from customers over several weeks. 

Chinavasion

Chinavasion, a well-known Chinese e-commerce platform specializing in electronics, was hit by a Magecart attack in 2023. This incident also targeted the checkout pages to capture payment details from international customers. While the breach wasn’t as large as some of the others on this list, it was significant due to Chinavasion's broad customer base spanning multiple countries.

Dick's Sporting Goods

In 2023, Dick's Sporting Goods found itself among the list of Magecart victims when attackers managed to inject malicious scripts into their payment page. The breach impacted a large number of customers, but the scale and financial fallout were relatively less severe compared to some of the more extensive attacks on this list.

Marriott Hotels

Marriott Hotels added another chapter to its troubled history with data breaches in 2023 when its online reservation system was targeted by Magecart attackers. The hackers injected skimming scripts to steal credit card information from customers booking rooms online.

There’s a bit of a rise in concern of these types of attacks targeting hotel and leisure industry websites. Time will tell if more occurrences of attacks happen in this space.

Here we talked about client-side attacks specifically in the hotel industry.

Digital Wallets and Cryptocurrency Exchanges

From 2022 to 2024, Magecart attackers turned their focus to digital wallets and cryptocurrency exchanges, marking a shift in their typical targets. By injecting malicious scripts into web wallets and exchange platforms, they were able to siphon off not just credit card details but also digital assets like cryptocurrencies.

During our beta phase, multiple crypto currency companies and exchanges contact us to work together on an early version of an expanded product scope to protect their sites. It’s a real concern in this industry.

Here's the story of the Copay event-stream attack which also happened in the crypto space. Malicious code would execute routines that searched for and extracted private keys and wallet details from accounts holding substantial amounts of Bitcoin and Bitcoin Cash. These details were then transmitted to a remote server controlled by the attackers.

A few final name drops:

  • Soccer[.]com

  • Shopify

  • Olympus

  • Tupperware

  • Fujifilm

  • Boom! Mobile

  • Procter & Gamble

  • Smith & Wesson

  • Puma

  • Crucial (Micron)

  • Elekta

How to protect your site against Magecart attacks

Just like how we covered in the section “What we learned about Magecart thus far”, third-party JavaScript is involved. These scripts are loaded client-side (i.e. in the browser of the user), not by the website’s server. And, they are dynamic. Meaning that can change whatever, whenever, and even based on parameters like the user’s device, location and more.

We’ve built c/side to secure these scripts against anything malicious. We load them in a proxy before they execute their code in the browser of the user, and block them if needed to fully protect the website visitors. Of course also alerting the website owner so they can inspect and remove the code if needed.

You can get started and secure your site for free in minutes.There are other tools available of course, please visit our compare page to see how we shape up against the competition.

Carlo D'Agnolo's profile picture

More About Carlo

I'm in charge of marketing & growth at c/side, educating companies and users on the web about the dangers of third-party scripts and the broader client-side security risks.