< ciso
brief />
Tag Banner

All news with #magecart tag

13 articles

New PCI Rules Force Runtime Script Controls

🔒 An independent PCI assessor evaluated Reflectiz against the updated PCI DSS requirements and found it effectively supports merchant compliance. Modern checkouts load many third-party scripts, any of which can be turned into skimmers, and PCI DSS v4.0.1 introduces controls to inventory, authorize, and detect tampering of payment-page scripts. The QSA highlighted Reflectiz’s behavior-based detection, agentless deployment, and one-click QSA-ready evidence as key strengths, while SAQ A exemptions remain limited for iframe integrations.
read more →

Magecart campaign abuses Stripe and GTM for skimming

🛡️ A Magecart campaign uses Google Tag Manager and Stripe's API to host both the card‑stealing payload and exfiltrated payment data. The skimmer, delivered via legitimate‑looking GTM containers, targets Magento/Adobe Commerce checkouts and reads a specific Stripe customer record to retrieve and execute obfuscated JavaScript. Stolen card details are XOR‑obfuscated, stored locally, then uploaded into fake Stripe customer metadata, with variants using Google Firestore as an alternative backend.
read more →

Critical Funnel Builder Flaw Actively Injects Skimmers

⚠️A critical vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Sansec reports attackers are planting fake Google Tag Manager-like scripts in the plugin's External Scripts setting to load payment skimmers. FunnelKit released a patch in v3.15.0.3; site owners should update immediately and inspect checkout scripts.
read more →

Critical Funnel Builder WordPress Plugin Exploited

⚠️ A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers modify the plugin’s global settings via an exposed checkout endpoint to add a fake analytics script that opens a WebSocket and delivers a payment card skimmer. The injected skimmer harvests card numbers, CVVs, billing details and other customer data; site owners should update to 3.15.0.3 and inspect External Scripts.
read more →

Attackers Hide Credit-Card Skimmer in 1×1 SVG Pixel

🔍 Sansec researchers uncovered a campaign that embeds a credit-card skimmer into Magento storefronts by hiding it inside a 1×1-pixel SVG element with an onload handler. The handler stores the entire payload as a base64 string decoded via atob() and executed inline to avoid external script detection. When shoppers click checkout a fake Secure Checkout overlay validates card and billing fields in real time and exfiltrates data in XOR-encrypted, base64-obfuscated JSON; Sansec identified six exfiltration domains and published actionable mitigations.
read more →

Claude Code Security and Magecart: Where Tools Stop

🛡️ This report explains why a Magecart skimmer that hid its payload inside a favicon's EXIF metadata can evade repository-focused scanners. Claude Code Security inspects source code and repo artifacts, so it cannot observe malicious scripts injected through third‑party CDNs, tag managers, or images that only execute in users' browsers. The observed attack used a multi‑stage loader to assemble a URL, parse binary image metadata, and execute the extracted payload at checkout, silently exfiltrating payment data. The piece argues that runtime monitoring and stronger supply‑chain governance are essential complements to static analysis.
read more →

Long-running web skimming campaign targets major payments

🔒 Silent Push researchers disclosed a long-running web skimming campaign active since January 2022 that targets customers of major payment networks including American Express, Mastercard, Discover, JCB, Diners Club and UnionPay. The attackers deliver highly obfuscated JavaScript from the domain cdn-cookie[.]com to e-commerce sites and use checks for WordPress’s wpadminbar to self‑destruct when administrators are present. The skimmer renders a fake Stripe payment form, harvests card and personal data, exfiltrates it to lasorie[.]com, then erases traces and sets a localStorage flag to prevent repeat infections, heightening risk for enterprise clients of affected payment providers.
read more →

Global Magecart Campaign Targets Six Major Card Networks

🔒 Silent Push has uncovered a long-running Magecart web‑skimming campaign, active since around 2022, that loads highly obfuscated JavaScript from bulletproof hosting and targets six major card networks including American Express, Mastercard and UnionPay. The skimmer operates client-side, injecting an iframe to display a convincingly styled fake payment form that captures cardholder and shipping details before restoring the original form. Silent Push links parts of the infrastructure to domains hosted by a sanctioned/bulletproof provider and recommends measures such as Content Security Policy, PCI DSS adherence, timely CMS/plugin updates, enforced MFA and incognito-mode testing to detect stealthy injections.
read more →

ThreatsDay: GhostAd, macOS Supply-Chain, Proxy Botnets

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.
read more →

Five Major Threats That Reshaped Web Security in 2025

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.
read more →

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.
read more →

Unmonitored JavaScript: The Holiday Shopping Risk 2025

⚠️ The article warns that unmonitored JavaScript on e-commerce sites is the single biggest holiday security risk, enabling attackers to steal payment data while server-side defenses like WAFs and intrusion detection systems remain blind. It reviews major 2024 incidents, including the Polyfill.io and Cisco Magecart campaigns, and highlights a dramatic uptick in attacks during peak shopping windows. Recommended mitigations emphasize closing visibility gaps with real-time client-side monitoring, maintaining strict third-party script inventories, and deploying Content Security Policy (initially in report-only mode) using nonces rather than weakening directives.
read more →

Iframe Security Exposed — Payment Checkout Blind Spot

🔒Payment iframes are no longer a guaranteed sandbox: attackers have adopted pixel-perfect overlays and other injection techniques to steal card data from checkout pages. The article dissects the August 2024 Stripe skimmer campaign that compromised dozens of merchants and used a deprecated API to validate stolen cards in real time. It explains why legacy controls like X-Frame-Options and basic CSP fail when the host page is compromised and outlines a practical six-step defense combining strict CSP, real-time DOM monitoring, secure postMessage handling, and tooling changes required by PCI DSS 4.0.1.
read more →