Check out CartShark! Web Skimming Detection — save your e-commerce website from data breaches!
Learn more →
Skip to content
RapidSpike
  • Platform
    • Synthetics
    • Logo
    • Synthetic User JourneysEmulate real customer interactions and ensure key processes are live 24/7.
    • Magecart Attack DetectionThe leading web-skimming and formjacking detection tool.
    • Third Party MonitoringTrack all of your third party website plugins, gateways and other add-ons.
    • Performance MonitoringEnsure peak customer experience with Web Vitals and page load monitoring.
    • Security monitoring tools for e-commerce websitesMagecart Detection PCI Compliance
  • Solutions
    • EnterpriseSupporting global brands with complex needs.
    • eCommerceShopify, Magento, BigCommerce and custom platforms.
    • TravelEnabling the monitoring of complex booking journeys.
    • AgenciesA powerful partner in providing support and service contracts.
    • GamingMonitoring interactive gaming platforms.
    • Public SectorMeeting performance and reliability SLAs of government bodies.
  • Case Studies
  • Pricing
  • Learn
    • BlogNews, advice and platform updates from the RapidSpike marketing team.
    • RapidSpike AcademyBecome an expert in page load performance, security and synthetics!
    • Knowledge BaseHelpful guidance for understanding the world of website monitoring.
  • Log In
    • RapidSpike
    • CartShark
Get a Demo
RapidSpike
Magecart Attacks Explained

Understanding the Magecart Threat

Magecart attacks, also known as web-skimming, formjacking or supply chain attacks, are a client-side attack method used to steal customers’ payment data from websites.

This is the number one threat to e-commerce sites today.

Ensure PCI DSS v4 Compliance

Monitoring scripts is a key part of new PCI DSS v4 requirements 6.4.3 and 11.6.1, designed to tackle the Magecart threat.

Find Out More

How do these attacks happen?

Hackers usually exploit a vulnerability on a web server, gaining access to either inject malicious JavaScript code or edit the HTML of the website to call a new third-party JavaScript file.

1 Magecart Explained

Your website loads third party add-ons

Nearly every website has third party plugins, or tags, used to load additional content or functionality.

Tags might include live chat, customer support, social media, ads, trackers, A/B testing, analytics or many more.

Did you know?

The average e-commerce website has 42 third party add-ons. Some third parties even load other third parties.

2 Magecart Explained

A vulnerability leads to one of your third parties being compromised

Hacking groups target one of your third party add-ons, or your own website directly, and gain access. Add-ons might have been added via Google Tag Manager, via a content management system, or directly. You may not even be aware that hackers have gained access.

Did you know?

Your website is only as secure as your weakest third party.

3 Magecart Explained

The compromised code is then running on your website

Your website loads code from a compromised third party, which enables hackers to execute Javascript on your customers’ browser.

These attacks are then happening “client-side”, where customer interactions can be monitored or intercepted.

Did you know?

Common methods include “key-logging”, where all user keypresses are recorded and sent to the hackers.

4 Magecart Explained

Sensitive data is taken without the user being aware of it

These attacks are usually focused on card payment screens, where the card details are “skimmed” by the Javascript on the website. The transaction will go through as normal, but card details have been copied and sent to a destination under the hacker’s control.

Alternatively, the compromised script loads a fake payment form instead of the secure one, and customers unwittingly enter their details there.

Did you know?

Customers and website owners might not even be aware an attack has occurred.

Other WebSkimming Attack Vectors

Attacking via third parties is not the only route in for client-side attacks to take place. Other methods include:

Domain Spoofing

Web-skimming attacks often include domain spoofing to assist in going undetected. The British Airways malicious skimmer exfiltrated card details to a spoof domain, ‘baways.com’. To an untrained eye, many of these domains could be seen as legitimate.

Malware Under Images

Steganography-based skimmers hide code within imagery to avoid detection. The Tupperware website was one victim of this style of attack, with malicious code hidden within a PNG file that activated a fraudulent payment form during the checkout process.

Fake Checkouts

Some attacks load a fake checkout
form before the legitimate checkout page or before a PayPal page. A Synthetic User monitor can continuously walk through the checkout page and alert to any new hosts found, potentially before a data breach occurs.

high Profile victims

Case Studies – Magecart Attacks

These web-skimming attacks have targeted business both large and small. In the most impactful cases, millions of customers have been affected, with substantial fines levied against the compromised websites.

British Airways

Details were taken via a script designed to steal financial information by skimming the payment page before it was submitted.

£20 million fine

380,000 customers’ details affected

16 days of attack before detection

Ticketmaster

Malicious software on third-party customer support product caused the hack. Stolen details included; names, addresses, email addresses, telephone numbers, and payment details.

4 months before detection

40,000 customers impacted

Volusion

Infected for 26 days before detection.
Volusion are an e-commerce shopping cart provider. The malicious file and domain were both disguised to look legitimate.

6,589 websites affected

239,000 payment details sold for $1.6 million

Vision Direct

JavaScript file was injected into the Vision Direct website posing to be a legitimate Google plugin. Vision Direct have provided all affected customers with an Identity Monitoring Service.

5 days before detection

6,600 customers’ details stolen

Macy’s

The breach occurred from October 7th-15th, 2019. An unauthorised third-party added malicious code to two pages on macys.com, including the checkout page and the wallet page.

1 week before detection

AMCA

AMCA have filed for Chapter 11 protection
and listed assets of $10 million. Multiple
lawsuits have been filed against AMCA.

20 million US citizens affected

$3.8 million spent on mailing individuals

Website compromised for 8 months

Magecart Attack Detection

Need help monitoring for third party script changes? Want to comply with PCI DSS v4?
Get award-winning e-commerce security from CartShark.

Find Out More

Company

  • About Us
  • Careers
  • Press
  • Contact

Platform

  • Synthetic Monitoring
  • CartShark Security
  • Performance Monitoring
  • Magecart Attack Detection
  • Third Party Monitoring
  • PCI Compliance
  • Page Load
  • Uptime
  • Assurance & SEO
  • Alerting & Integrations
  • All Features >

Value

  • Pricing
  • Case Studies
  • Magecart Attacks Explained
  • RapidSpike and New Relic

Learn

  • Blog
  • Knowledge Base
  • RapidSpike Academy
  • API Docs
  • System Status
  • Product Roadmap
  • RapidSpike Log In
  • CartShark Log In
X Instagram YouTube Linkedin

© 2025 RapidSpike. All rights reserved.

  • Privacy Policy
  • Terms of Service
  • Vulnerability Disclosure Policy
Scroll to top
  • Synthetics
    • Synthetic User Journeys
    • Magecart Attack Detection
    • Third Party Monitoring
    • Performance Monitoring
  • CartShark
    • CartShark Magecart Detection
    • Magecart Attacks Explained
  • Solutions
    • Enterprise
    • eCommerce
    • Travel
    • Digital
    • Agencies
  • Pricing
  • Blog
  • Log In
    • RapidSpike
    • CartShark