Web skimming

From Wikipedia, the free encyclopedia

Web skimming, formjacking or a magecart attack is an attack where the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.[1][2]


Subresource Integrity or a Content Security Policy can be used to protect against formjacking, although this does not protect against supply chain attacks. A web application firewall can also be used.[2][3]


A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack.[4] In 2018, British Airways had 380,000 card details stolen in via this class of attack.[5] A similar attack affected Ticketmaster the same year with 40,000 customers affected[6] by maliciously injected code on payment pages.


Magecart is software used by a range[7] of hacking groups for injecting malicious code into ecommerce sites to steal payment details.[8] As well as targeted attacks such as on Newegg,[9] it's been used in combination with commodity Magento extension attacks.[10] The 'Shopper Approved' ecommerce toolkit utilised on hundreds of ecommerce sites was also compromised by Magecart[11] as was the conspiracy site InfoWars.[12]

According to Malwarebytes, the Magecart software has tried to avoid detection by using the WebGL API to check whether a software renderer such as "swiftshader", "llvmpipe" or "virtualbox" is used. That would indicate that the software is running in a virtual machine and that the user is not a real world victim.[13]


  1. ^ Reddy, Niranjan (2019). Practical Cyber Forensics : an Incident-Based Approach to Forensic Investigations. Berkeley, CA. ISBN 978-1-4842-4460-9. OCLC 1110377452.
  2. ^ a b "You Need to Protect Your Website Against Formjacking Right Now". PCMag. Retrieved 2021-05-20.{{cite web}}: CS1 maint: url-status (link)
  3. ^ Wueest, Candid. "Internet Security Threat Report - Formjacking: How Malicious JavaScript Code is Stealing User Data from Thousands of Websites Each Month". Symantec.{{cite web}}: CS1 maint: url-status (link)
  4. ^ Ismail, Nick (13 October 2016). "Stowaways: malicious skimming code hiding in almost 6,000 online shops". Retrieved 9 December 2018.
  5. ^ Whittaker, Zack (11 September 2018). "British Airways breach caused by credit card skimming malware, researchers say". Retrieved 9 December 2018.
  6. ^ Priday, Richard (28 June 2018). "The Ticketmaster hack is a perfect storm of bad IT and bad comms". Retrieved 9 December 2018.
  7. ^ Whittaker, Zack (13 November 2018). "Meet the Magecart hackers, a persistent credit card skimmer group of groups you've never heard of". Retrieved 9 December 2018.
  8. ^ Muncaster, Phil (1 October 2018). "Magecart: Time to Focus on Web Security to Mitigate Digital Skimming Risk". Archived from the original on 10 December 2018. Retrieved 9 December 2018.
  9. ^ Osborne, Charlie (19 September 2018). "Magecart claims another victim in Newegg merchant data theft". Retrieved 9 December 2018.
  10. ^ Cimpanu, Catalin (23 October 2018). "Magecart group leverages zero-days in 20 Magento extensions". Retrieved 9 December 2018.
  11. ^ Leyden, John (9 October 2018). "Payment-card-skimming Magecart strikes again: Zero out of five for infecting e-retail sites". Retrieved 9 December 2018.
  12. ^ Blake, Andrew (14 November 2018). "Alex Jones' Infowars store infected with malware capable of skimming payment data". Retrieved 9 December 2018.
  13. ^ "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar". Threatpost. Retrieved 2022-04-03.