Executive Summary
Between January 2022 and January 2026, cybersecurity researchers uncovered an advanced web skimming campaign attributed to Magecart-related actors, compromising numerous e-commerce and payment websites linked to major providers including American Express, Mastercard, and others. The attackers injected heavily obfuscated JavaScript skimmers via domains controlled by sanctioned bulletproof hosts, notably Stark Industries and THE.Hosting, enabling the theft of sensitive credit card and personal data from unsuspecting users during checkout. The malicious code leveraged techniques to evade administrator detection and selectively harvested data before exfiltrating it through external servers, ultimately exposing customers and enterprises to widespread data theft risks.
The discovery highlights a sustained increase in sophisticated client-side web skimming attacks leveraging supply chain weak points and exploiting trust in major payment platforms. The evolving tactics, regulatory expectations for PCI and consumer protection, and the broadening scope of victim organizations make ongoing vigilance and technical controls imperative for all businesses accepting online payments.
Why This Matters Now
Magecart-style web skimming campaigns are rapidly escalating in frequency and sophistication, targeting both enterprises and their customers with tailored JavaScript malware capable of bypassing conventional controls. As regulators increase scrutiny of payment security and compliance frameworks, organizations must act urgently to prevent sensitive data exposure and business disruption.
Attack Path Analysis
The attackers initially compromised vulnerable e-commerce sites to inject malicious JavaScript skimmers into checkout pages. Using advanced knowledge of WordPress internals, they maintained persistence and evaded administrator detection, likely escalating privileges within the compromised web application. Lateral movement was not prominent, but could involve targeting additional sites or workloads via compromised infrastructure. The skimmer communicated with external domains for command and control, receiving payloads and commands. Sensitive payment and personal data was exfiltrated to attacker-controlled endpoints using HTTP POST requests. The attackers aimed for stealth and monetization by erasing evidence post-exfiltration, impacting organizations and their customers by stealing payment card data.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access to e-commerce web servers (often through unpatched vulnerabilities or compromised admin credentials) and injected obfuscated JavaScript skimming scripts into payment pages.
Related CVEs
CVE-2022-24086
CVSS 9.8Magento 2.4.3-p1 and earlier versions are vulnerable to an improper input validation vulnerability that could allow an unauthenticated attacker to execute arbitrary code.
Affected Products:
Adobe Magento – <= 2.4.3-p1
Exploit Status:
exploited in the wildCVE-2021-25094
CVSS 9.8The WordPress WP Fastest Cache plugin before 0.9.5.4 allows unauthenticated users to perform arbitrary file uploads, leading to remote code execution.
Affected Products:
WP Fastest Cache WP Fastest Cache Plugin – < 0.9.5.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
JavaScript
Exploit Public-Facing Application
Web Shell
Masquerading
Deobfuscate/Decode Files or Information
Web Protocols
Spearphishing via Service
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – JavaScript Integrity on Payment Pages
Control ID: 6.4.3
PCI DSS v4.0 – Incident Response for Payment Data
Control ID: 12.10.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Supply Chain and Digital Service Security
Control ID: Art. 21(2)(d)
CISA Zero Trust Maturity Model 2.0 – Application Threat Detection and Risk Monitoring
Control ID: Applications - Visibility & Analytics
DORA (Digital Operational Resilience Act) – ICT System Security and Monitoring
Control ID: Art. 7(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
E-commerce platforms face critical web skimming threats targeting checkout pages, requiring enhanced egress security and threat detection to protect customer payment data from JavaScript-based attacks.
Financial Services
Payment networks like American Express and Mastercard targeted by long-running skimming campaigns necessitate zero trust segmentation and encrypted traffic protection for transaction security.
Hospitality
Online booking and payment systems vulnerable to Magecart attacks require multicloud visibility and anomaly detection to prevent credit card theft during reservation processes.
Internet
Web hosting providers and e-commerce platforms need inline IPS protection and cloud firewall capabilities to detect obfuscated JavaScript payloads targeting payment forms.
Sources
- Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pageshttps://thehackernews.com/2026/01/long-running-web-skimming-campaign.htmlVerified
- Silent Push Uncovers New Magecart Network: Disrupting Online Shoppers Worldwidehttps://www.silentpush.com/blog/magecart/Verified
- Online shoppers at risk as Magecart skimming hits major payment networkshttps://www.malwarebytes.com/blog/news/2026/01/online-shoppers-at-risk-as-magecart-skimming-hits-major-payment-networksVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as segmentation, workload-level policy enforcement, traffic inspection, and egress filtering would have significantly limited the attacker's ability to insert, communicate, and exfiltrate malicious payloads—reducing both dwell time and data exposure within the web application environment.
Control: Zero Trust Segmentation
Mitigation: Minimized unauthorized access to application and web workloads.
Control: Multicloud Visibility & Control
Mitigation: Improved detection of unusual admin activity or privilege changes.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized intra-cloud movement.
Control: Cloud Firewall (ACF)
Mitigation: Detected and blocked suspicious outbound C2 domains.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized data exfiltration via outbound filtering policies.
Rapid identification and response to abnormal web transaction flows.
Impact at a Glance
Affected Business Functions
- Payments
- E-commerce Operations
- Customer Data Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Personal and financial data of customers, including names, addresses, phone numbers, email addresses, credit card numbers, expiration dates, and CVV codes, were exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce microsegmentation and identity-based policies to isolate sensitive workloads and restrict administrative access to production web servers.
- • Deploy centralized egress controls and cloud firewalls to block unauthorized internet communications from application workloads.
- • Implement continuous anomaly and threat detection for both east-west and egress traffic, focusing on web transaction flows and code changes.
- • Leverage end-to-end encryption for data in transit, ensuring intercepted traffic is unusable for attackers during exfiltration attempts.
- • Maintain comprehensive workload visibility and policy governance across multi-cloud web applications to rapidly detect and contain unauthorized changes or suspicious behaviors.
