This newly uncovered Magecart network represents a sophisticated web-skimming campaign targeting major payment card brands including American Express, Diners Club, Discover, and Mastercard. Since January 2022, attackers have compromised e-commerce websites by injecting malicious JavaScript code that creates fake payment forms. These forms capture sensitive credit card information entered by online shoppers and exfiltrate it to attacker-controlled infrastructure, such as domains like cdn-cookie.com. The malware employs advanced obfuscation and mimics legitimate payment workflows to evade detection by security tools and users alike. Importantly, the skimmer allows the real transaction to complete successfully, so victims remain unaware of the data theft. The campaign demonstrates deep knowledge of e-commerce platforms and payment processing, indicating a well-resourced adversary. Although no CVE or known exploits in the wild are currently documented, the threat persists globally and continues to evolve. Indicators of compromise include specific malicious URLs and domains used for hosting the skimmer scripts. The attack leverages techniques such as JavaScript injection (T1059.007), obfuscation (T1027), and data exfiltration over web protocols (T1071.001). This campaign poses a direct threat to online retailers, payment processors, and consumers by facilitating credit card theft and subsequent payment fraud.

For European organizations, this Magecart campaign threatens the confidentiality of customer payment data, potentially leading to large-scale credit card fraud and financial losses. Retailers and payment processors in Europe could suffer reputational damage, regulatory penalties under GDPR for failing to protect personal data, and operational disruptions due to incident response efforts. The theft of payment information undermines consumer trust in e-commerce platforms, which is critical in the European market where online shopping is widespread. Additionally, compromised merchants may face chargebacks and increased fraud monitoring costs. The campaign’s stealthy nature complicates detection and mitigation, increasing the risk of prolonged data exposure. Given the prominence of European payment networks and the volume of online transactions, the threat could have broad financial and legal implications across the region.

European organizations should implement multi-layered defenses tailored to combat Magecart-style web-skimming attacks. Specific measures include: 1) Conducting thorough code audits and integrity checks on all e-commerce web pages, especially payment forms, to detect unauthorized JavaScript injections. 2) Employing Content Security Policy (CSP) headers to restrict loading of scripts only from trusted domains and blocking inline scripts. 3) Using Subresource Integrity (SRI) to ensure externally loaded scripts have not been tampered with. 4) Monitoring network traffic for suspicious connections to known malicious domains such as cdn-cookie.com. 5) Implementing runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting Magecart behaviors. 6) Regularly scanning for indicators of compromise (IOCs) including the listed malicious URLs and domains. 7) Educating development and security teams on Magecart tactics and ensuring timely patching of e-commerce platform vulnerabilities. 8) Collaborating with payment processors to monitor for unusual transaction patterns indicative of skimming. 9) Employing anomaly detection on client-side behavior to identify injected scripts. 10) Ensuring incident response plans include Magecart-specific scenarios to enable rapid containment and remediation.