Magecart Hackers Uses 100+ Domains to Hijack eStores Checkouts and Steal Card Data | cybersecuritynews

https://cybersecuritynews.com/magecart-hijack-estore-checkouts/

https://www.linkedin.com/posts/cybersecuritynews-share-7445510796228423680-WMRx/

Magecart Hackers Uses 100+ Domains to Hijack eStores Checkouts and Steal Card Data | cybersecuritynews

A sophisticated and long-running Magecart campaign has been quietly operating for over 24 months, infecting e-commerce websites across at least 12 countries using more than 100 malicious domains to steal payment card data in real time and banks, not merchants, are bearing the heaviest financial blow.

Security researchers at ANY.RUN has uncovered a large-scale Magecart operation that has remained operational since at least early 2024, infecting 17 confirmed WooCommerce websites between February 2024 and April 2025.

The operation employs a layered, multi-stage infection chain designed to frustrate detection and removal. After compromising a WooCommerce site, attackers inject a small obfuscated JavaScript loader into one of the site’s existing script files.

The second-stage payload is delivered from domains crafted to resemble legitimate web services — including fake jQuery libraries, CDN resources

For security teams, the key defensive priorities include monitoring outbound WebSocket connections from checkout pages, enforcing strict Content Security Policies (CSP), implementing JavaScript file integrity monitoring, and conducting regular third-party script audits.