Magecart Monthly: May

A new monthly feature blog on all things Magecart going on in the news. This summary gives you all the known facts about data breaches reported in the news as well as an insight from our own RapidSpike Security Researcher.

New attacks this month:

  • Over 100 Websites Attacked
  • Picreel and Alpaca Forms
  • Forbes
  • Cleor
  • Leicester City FC

Over 100 Websites Attacked

Early May, NetLab 360 discovered an attack on over 100 websites, undetected for 5 months. Similar to other Magecart attacks, the malicious domain was imitating a legitimate domain, on this occasion the well-known e-commerce CMS software vendor, Magento.

The domain Magento-analytics [.] com was used to disguise the code. The domain was registered in Panama but the IP address has moved to several different countries. This behaviour prompted NetLab 360 to investigate the domain and this is when they discovered JavaScript scripts skimming financial data.

During the 5-month long attack 105 e-commerce websites were infected including six among the Alexa Top One Million. Sites infected sold a variety of goods including; wine, bicycles, luxury designer bags, baby products, and electronics. The scale of this data breach is currently unknown, however, we expect to see investigation updates from the various parties involved in upcoming months.

Picreel and Alpaca Forms

Sanguine Security Researcher Willem De Groot discovered malicious code on over 4,600 websites using Alpaca Forms and Picreel. 1,249 websites were infected via Picreel – an analytics service and 3,345 websites via open-source form builder project, Alpaca forms.

Koddos reported ‘(Alpaca Forms)…was initially built by CloudCMS before being open-sourced over eight years ago with the company still providing a free CDN (Content Delivery Network) service for the project they birthed. In the case of Alpaca, the hackers managed to infiltrate the CloudCMS managed CDN to modify one of the alpaca scripts.’. Willem De Groot told ZDNet it was the same threat actor who was responsible for both attacks. The sensitive payment data was sent to the cybercriminal’s server in Panama.

Cloud CMS have responded to the attack discovery stating:

‘We investigated this. It wasn’t related to Cloud CMS but rather to the Alpaca forms open source project. We removed the free hosting of those infected js files for now. And will get them back online as quick as we can. Thank you for all of the information you provided!’

So far there has been no further information regarding how these attacks took place, however, Cloud CMS have suggested that a possible cause is a basic httpd known vulnerability was exploited. The code was removed the same day and a continued investigation is taking place to explore the attack.


Security Researcher Troy Mursch, the Founder of Bad Packets Report, told Threatpost he noticed the copromised Forbes subscription site on Wednesday 15th May. The attack was on the magazine subscription site and not the Forbes main site

A Forbes spokesperson states; ‘Forbes is fairly confident that no one was impacted by the skimmer.’, however, Mursch and experts at RapidSpike agree that if you have purchased anything from the Forbes subscription website during the time of the attack your details were most likely stolen.

Bleeping Computer explain‘The attackers used the WebSocket protocol to exfiltrate the stolen data, a computer communications protocol which enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.’.

RapidSpike’s Security Expert investigated this attack and had the following to say;

‘This is the first high profile attack to use WebSockets to transfer stolen data and an example of how hackers are deploying more advanced features to get around services monitoring data breaches. Unfortunately, a lot of tools can’t detect WebSocket activity so this could be the start of a trend used by hacking groups. Obscurification techniques in the JavaScript skimmers themselves can only go so far, so it makes sense to try and mask the exfiltration process as well.’


French Jewellery Chain Cleor operates 136 boutiques across France. On 10th April 2019, Netcraft discovered the infection on Cleor’s website. The malicious JavaScript Skimmer stole sensitive payment data from the site and transmitted it to the attacker’s server.

The code was injected into the website alongside a legitimate Facebook tracking script. Disguised in a similar manner to the BA skimmer code, external domain cleor [.] co, mimicked the real cleor website domain Registered on 10th January 2019 this suggests this was a carefully planned attack. The code used was also obfuscated to disguise its purpose. Netcraft explain; ‘The data sent to the dropsite is Base64-encoded, decoding it reveals a JSON array containing all of the credentials entered into the form.’.

A keystroke logger stole credentials immediately when entered and not just when submitted. Therefore, customers who did not complete their purchase are also at risk. Magecart attacks leave the legitimate payment unaffected and the payment will still process through to the website. This makes skimming difficult to spot without detection solutions.

There are no further details regarding infection time or the number of customers affected.

Leicester City FC

Sneaking into the end of May, the discovery of a payment skimmer on the Leicester City FC merchandise website, compromising the site for 11 days between 23rd April and 4 May.

The Register first reported the attack, speaking to a ‘Foxes Follower’ who gave inside information explaining how Leicester City FC emailed customers with the following message:

“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.”

A formal statement from the club explains that an on-going investigation into the data breach is taking place. Leicester City FC informed the Police, the Information Commissioner’s Office (ICO), and all affected customers.

This attack follows recent magecart attacks to other sporting websites including; Atlanta Hawks and Umbro Brasil’s merchandise stores, Topps sports collectible site and Puma Australia’s apparel site.

RapidSpike security researchers have taken the time to investigate all attacks which occurred in May. We can confidently say our Data Breach Monitor would have detected every attack. Click here to learn more about Magecart Attack Detection.

Detect website skimming, formjacking and supply chain attacks.

Other Security News: