Large Magecart Campaign

Recent Magecart Activity on 60 E-Commerce Sites

12 March 2020

I have recently found a few new domains that are associated with Magecart activity. This article will provide a brief overview of each domain, and will include information about the infected companies. and

Both of these domains are hosting the sames files and attacking the same companies. So it is safe to assume that they are from the same attacker. This campaign has attacked 17 companies, many of which are still compromised. The attackers seem to have created a unique script for each company they targeted, usually loading the script <company_name_here>.js.

Magecart found on URLScan

Here is a table of the infected sites found so far:

Company Site First Seen Still Compromised 2019-09-10 Yes
TAFE TRIBE 2019-09-11 Yes
POSH Mommy 2019-09-28 Yes
Cvapor 2019-10-06 No
GENERATION 2019-10-28 Yes
Royal Slengor 2019-11-14 No
Kazem 2019-11-15 No
K.L. Security 2019-12-03 No
Pontto Lavabo 2020-01-03 Yes
Crystal-Fashion® 2020-01-13 No
Serigrafiaitalia 2020-02-07 No
Elgi Ultra Industries Limited 2020-02-21 No
Village Farm Grocery 2020-03-03 Yes
Car Seat Covers Direct 2020-03-04 Yes

The script itself uses a fairly simple obfuscation technique where it runs a function at the beginning that contains some encoded text. The decoded text is a list containing information the skimmer needs to send information to the C2 (which is normally jsvault[.]net).

Magecart Obfuscation

This script is fairly new. I have only found references to it dating back to Feb 29th, 2020. It uses a list of base64 strings and a predefined function that will decode and decrypt them to get the information the skimmer needs to function correctly. Interestingly enough, the URL for the gate it sends the credit card information to is in plaintext in the script, so no real decryption is necessary.

ObfuscatorIO obfuscation

Magecart gate

The most interesting target of this campaign were multiple sites that sell items related to OSHA policies. After contacting the site ownsers it was made clear that these sites do not have an official affiliation with OSHA and instead sell products to help clients be OSHA compliant. Either way, they have removed the script not long after getting infected. Here is the table of the infected sites so far:

Company Site First Seen Still Compromised
CityPharma 2020-02-28 No
King Palm 2020-03-03 No
ALVARO MORENO 2020-03-06 No
Misty Mountain Soap Co. 2020-03-06 Yes

Linkedtop[.]com uses a list of base64 encoded strings to store information. It also appears that the script has the JSEncrypt library written inline, which is used to send the encrypted credit card data back to the malicious actor. This is also a fairly new script, with the earliest infection dating back to Feb 27th, 2019. Here is a list of the compromised sites:

Company Site First Seen Still Compromised
Madame Bridal 2020-02-27 Yes
WEI Beauty 2020-02-28 No
Forestfarm at Pacifica 2020-03-01 Yes
Vapergate 2020-03-05 Yes
Girls on the Run® 2020-03-06 Yes

This skimmer does not try to obfuscate its code at all. This is also the domain with the highest number of infections and the longest running campaign out of this bunch. The earliest infection seen goes back to Oct 1st, 2019, with some of those sites still infected today. Here is the list of impacted sites:

Company Site First Seen Still Compromised
UCC 2019-10-01 Yes
Pretty Salon 2019-10-01 Yes
Prestige Fancy 2019-10-01 Yes
Pizzaholic 2019-10-01 Yes
Mdc Publishers 2019-10-01 Yes
Kings2dental 2019-10-01 Yes
Two A Jewelery 2019-10-01 Yes
Diamond Blade Dealer 2019-10-01 Yes
Right Way HP 2019-10-01 No
Walter Tool 2019-10-01 No
Silicone Solutions 2019-10-02 Yes
Regal Pens 2019-10-02 Yes
Stylish Fashion 2019-10-02 Yes
Board Book Albums 2019-10-02 Yes 2019-10-03 No
X Prints 2019-10-04 Yes
Posimplicity 2019-10-07 No
Vados Bait & Tackle 2019-10-07 No
Urban Carry Holsters 2019-10-15 No
Psychology Pride 2019-10-17 Yes
Red Dot Arms 2019-10-22 No
Jan Marini 2019-11-03 No
Bula Verdde 2019-11-05 No
Steelio 2019-11-07 Yes
Osborn 2019-11-08 Yes
Harraca 2019-11-11 Yes
Petrx2go 2019-11-13 No
Black Widow Custom Bows 2019-11-14 No
Unlimited Wares 2019-11-14 Yes
Keldan 2019-12-10 Yes
Comit Stores 2019-12-12 No
US Animo 2019-12-17 No
Bantiny 2019-12-19 No
Ameda Direct 2019-12-23 No
High Performance Uni 2020-01-05 Yes
BEHC 2020-01-29 No
Jiffy Steamer 2020-02-01 No
The James Trading Group 2020-02-04 Yes
Honor Canvas 2020-02-05 No
Cockpit Hotel 2020-02-07 No
The Health Store 2020-02-16 No
Flexineb 2020-02-16 No
LumaDent 2020-02-19 No
Alexander + David 2020-03-02 Yes
Ventamatic 2020-03-02 No
Medical Part Shop 2020-03-04 Yes


All of the sites have been contacted about the infection. Only two of the sites hae contacted me back and have removed the infection. I have not heard back from any of the others.

Domain Takedown

I have contacted the registrars of the malicious domains, urging them to take the domains down. There has been no word back from them as of the time of writing and the domains are still up.


It is a little unsettling how easy most of these sites can be compromised. All of the listed sites are running an outdated version of Magento, some as old as version 1.5 which was released in 2011. If the sites do not patch, they will most likely be hit again. Hopefully these posts are spreading awareness of credit card skimming attacks and convincing companies to patch their systems. If you have visited any of the listed sites recently, please contact your bank and ask for a new credit card as your current card could be compromised. All of these domains were found using an automated tool I have been developing in my free time. I hope to release this tool soon. I will also be giving a talk on Hungting for Magecart at BsidesCharm where I will talk about methods used for hunting down infections and disclosing information appropriately. You can check it out on BsidesCharm’s website. If you have any questions or comments feel free to let me know on my Twitter or LinkedIn. I am always looking for feedback!

Thanks for reading and happy reversing!

Malware Analysis, Magecart, Skimmer, JavaScript

More Content Like This: