Card Not Present Fraud , Finance & Banking , Fraud Management & Cybercrime

Magecart Nightmare Besets E-Commerce Websites

Bedding Retailers May Not Be Sleeping Soundly
Magecart Nightmare Besets E-Commerce Websites
MyPillow CEO Mike Lindell, whose company was targeted by payment card sniffing cybercriminals. (Photo: MyPillow)

Script-based payment card malware continues its successful run, impacting a range of e-commerce sites, researchers at two security firms warn.

See Also: Check Kiting In The Digital Age

RiskIQ and Group-IB have described a series of attacks whose victims include shoe manufacturer Fila, two bedding-related sites - and - and others.

Countering card-sniffing malware has proved to be tricky, as the sign of an infection may be just a single line of code. Nor have large enterprises been immune: Big players such as British Airways, Ticketmaster and Newegg have all been struck over the past year (see Magecart Cybercrime Groups Harvest Payment Card Data).

Many of these attacks have been well-documented by RiskIQ, which broadly refers to the use of these tactics as Magecart, although emphasizes that many cybercriminal groups appear to be involved.

The latest attacks documented by the company show that Magecart-style gangs are continuing to experiment with new attack techniques, potentially making it harder for companies to detect when they've been compromised.

Attackers may also be expanding their horizons, and using tactics that have allowed them to steal payment card data to also pilfer login credentials, writes Yonathan Klijnsma, a threat researcher with RiskIQ, in a blog post.

"While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen, which widens the scope of potential Magecart victims far beyond just e-commerce," Klijnsma writes.

Typosquatting Tricks

RiskIQ regularly scans e-commerce sites for potential signs of skimming activity. In October 2018, it noticed that someone had set up a typosquatted domain for, which unsurprisingly, sells pillows.

Klijnsma writes that RiskIQ often sees attackers set up a look-a-like domain to host other malicious components and to store stolen payment card data. The lookalike domain, (mypiltow[.]com), carried a TLS/SSL certificate from Let's Encrypt and loaded a malicious script into

The malicious script that was pulled into was hosted on a typesquatted domain. (Source: RiskIQ)

That skimming attempt was quickly shut down, Klijnsma writes. But then RiskIQ noticed another attempt. This time, the attackers created a spoofed domain for LiveChat, a customer support tool used by many e-commerce sites.

"The attackers played a brilliant game the second time they placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts," Klijnsma writes. "The Magecart attackers went even further by proxying the standard script returned from the real LiveChat service."

Contacted on Wednesday, says it caught the attempted breach on Oct. 5, 2018. An investigation by a third party didn't turn up indications that customer data was compromised, according to a spokeswoman. The company contacted the FBI, she says.

"MyPillow reported the attempted breach to the authorities and has increased security on our website," she tells Information Security Media Group. "Our customers and their security are my number-one priority."

Klijnsma, however, disagrees with MyPillow's characterization of the attacks.

"RiskIQ observed active skimmer code on the MyPillow website during two attacks. Both attacks were successful, not 'attempted,' as stated by MyPillow," Klijnsma tells ISMG. "These skimmers were capable of intercepting credit card data for as long as they were active on the site, so MyPillow are remiss to assume no data was stolen."

Abusing GitHub

Mattress company Amerisleep was another Magecart victim. Its website appeared to have been infected with a skimmer from around April 2017 through October 2017, RiskIQ says.

The site was then clean for about a year, but Klijnsma writes that it was infected again in December 2018. He says this second attack used a new and unusual technique: Instead of using a typosquatted domain to host malicious components, attackers set up a GitHub account and page named "" It's now offline.

Attackers set up a GitHub page to host malicious scripts to attack (Source: RiskIQ)

That GitHub repository hosted a skimmer that was then called into Amerisleep's payment pages. But that ruse didn't last long.

"The actors decided to abandon the GitHub Pages approach and instead focus again on injections through their own custom domains," Klijnsma writes. "With help from GitHub, RiskIQ took down the GitHub repository and the GitHub Pages account.

RiskIQ tried to contact Amerisleep, but didn't receive a response. Efforts by ISMG to reach Amerisleep were also unsuccessful. Amerisleep's website appears to still have a malicious script on it, and it doesn't appear that the company has notified potentially affected consumers, Klijnsma writes.

JavaScript Skimmers Proliferate

But these are only the latest victims of card-harvesting script attacks. Indeed, Group-IB, a Moscow-based cybersecurity vendor and services firm, says that JavaScript payment card sniffers are proliferating. So far the company has uncovered 15 different malware families, nine of which haven't been researched before. The company plans to release a full report soon.

One of the victims Group-IB observed was the U.K. website of shoe manufacturer Fila. Group-IB says detected that the site was compromised, earlier this month, but warned that the infection could have begun around have started around November 2018.

Skimming code found on Fila's U.K. website. (Source: Group-IB)

A rough estimate by Group-IB of the number of visitors and typical conversion rates would put the potential number of victims at 5,600. Fila officials didn't immediately have a comment.

The skimming code that Group-IB found on Fila's website, which it calls GMO JS Sniffer, was also present on six other U.S.-based companies, it says, and includes capabilities designed to allow it to hide from development tools such as Firebug.

"GMO is a family of JS sniffers that target Magento-based online stores," writes Dmitry Volkov, Group-IB's head of cyber intelligence. "GMO can detect Firebug and Google Developer Tools, which allows the sniffer to remain undetected."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.