{
	"id": "849c1df7-3b07-42ab-9b63-1256d32b506b",
	"created_at": "2026-04-06T00:11:51.103315Z",
	"updated_at": "2026-04-10T03:24:11.882075Z",
	"deleted_at": null,
	"sha1_hash": "14cc938b28cf45badecfbd417f9aba63c4f12058",
	"title": "Following the tracks of MageCart 12 – Max Kersten",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56813,
	"plain_text": "Following the tracks of MageCart 12 – Max Kersten\r\nPublished: 2020-02-17 · Archived: 2026-04-05 17:30:28 UTC\r\nThis research is a follow up on the two previous articles about MageCart 12. At first, two infected ticket resellers\r\nwere found, after which multiple other infected websites were caught by Jacob and me. RiskIQ also followed up\r\non our findings with additional research where they found two popular websites to be infected with a credit card\r\nskimmer that has been attributed by MageCart 12.\r\nThis article provides new websites that have been infected, but also websites that were infected once more. Before\r\ngoing into the websites, a small note about the skimmer’s modus operandi is made.\r\nThe modus operandi\r\nSimilar to the opendoorcdn.com campaign, there is no legitimate JavaScript code within the file. The skimmer is\r\n(similar to the opendoorcdn.com) hosted on an external site, toplevelstatic.com, which resolves to different IP\r\naddresses. The location of these IP addresses are mostly (if not all) located in Russia.\r\nThe used obfuscation is similar to the previous skimmer script, where the first stage functions as a loader, whereas\r\nthe second stage contains the original script with added garbage code and string obfuscation. Note that the second\r\nstage script is only loaded if it is not tempered with, based on the hash check that is included in the second stage.\r\nWhen removing the dead code and string obfuscation from the second stage, the script is identical to the original\r\ninput, aside from the function names. This skimmer script is identical to the one that was found on\r\nopendoorcdn.com, aside from the exfiltration gate’s address.\r\nThe victims\r\nAll infected sites have been contacted prior to the publication of this blog, although there was no response back to\r\nus. Information about each victim is given below.\r\nSuplementos Gym\r\nThe first sighting of a skimmer on Suplementos Gym was on he 31st of January 2020. This specific skimmer still\r\nconnected back to opendoorcdn.com, which was taken down by the combined efforts of Jacob and myself. The\r\nfirst recorded sighting of the toplevelstatic.com skimmer was on the 7th of February 2020. The latest recorded\r\ndate that the skimmer was active, was on the 10th of February 2020, as can be seen here. Contact was established\r\nvia e-mail, but there was no response back.\r\nBahimi\r\nThe Bahimi web shop, which was also infected with the opendoorcdn.com skimmer in November 2019, has also\r\nbeen infected with the toplevelstatic.com skimmer on the 7th of February 2020. It is unknown for how long the\r\nskimmer remained active on the website. Albeit our best efforts, there was no response to our e-mail and Tweet.\r\nhttps://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/\r\nPage 1 of 3\n\nTitansSports\r\nTitansSport is the last entry in the list of victims that was also infected with the opendoorcdn.com skimmer in\r\nearly January 2020. The toplevelstatic.com infection was present on the 7th of February 2020, although the exact\r\ntime span is not yet known. Contact was made via e-mail and WhatsApp, but no response was received.\r\nBVC\r\nBVC got infected on the 3rd of February 2020, as can be seen here. A snapshot of the 7th of February 2020 shows\r\nthat the skimmer was still active, continuing on the 16th of February. The skimmer is still active at the time of\r\nwriting, which is the 19th of February 2020. An e-mail was sent to inform BVC, but no response was received.\r\nMyMetroGear\r\nThe infection on MyMetroGear was first sighted on the 4th of February 2020. The infection continued through the\r\n7th of February, until the 16th of February 2020. The skimmer is still live at the time of writing, which is the 19th\r\nof February 2020. No answer was given based on the e-mail we sent to MyMetroGear.\r\nTrue Precision\r\nTrue Precision‘s web shop was infected on the 4th of February 2020. The infection is ongoing at the time of\r\nwriting (which is the 19th of February 2020). The infection was also stored in snapshots on the 7th of February\r\n2020 and the 19th of February 2020. There was no response to our e-mail nor Tweet.\r\nFashion Window Treatments\r\nFashion Window Treatments got infected on the 6th of February, and is still infected at the time of writing (the\r\n19th of February 2020). There was no response back based on our e-mail or Tweet.\r\nSkin Trends\r\nSkin Trends‘s web shop was infected on the 6th of February 2020. After the 7th of February 2020, there is no\r\nrecord of an infection. Since our data collection is not exhaustive, the exact end date of the infection is unknown,\r\nbut at least prior to the 16th of February 2020. No response was received towards our e-mail nor Tweet.\r\nNatonic\r\nNatonic got infected on the 10th of February 2020. On the 17th of February 2020, the entire skimmer was put on\r\nthe website as a piece of JavaScript, instead of being loaded externally. Shortly after that, the skimmer was not\r\npresent anymore. No response was received based on the e-mail that we sent out.\r\nConclusion\r\nIf you have shopped at one of the mentioned sites around the infected period, it is suggested to contact your bank\r\nand request a new credit card. Also note that all information that was entered on the site’s payment form was\r\nstolen by the credit card skimmer and should be considered compromised.\r\nhttps://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/\r\nPage 2 of 3\n\nAdditionally, I’d like to thank Jacob for the clear communication and cooperation when conducting this research.\r\nTo contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on BlueSky @maxkersten.nl.\r\nSource: https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/\r\nhttps://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/"
	],
	"report_names": [
		"following-the-tracks-of-magecart-12"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434311,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14cc938b28cf45badecfbd417f9aba63c4f12058.pdf",
		"text": "https://archive.orkl.eu/14cc938b28cf45badecfbd417f9aba63c4f12058.txt",
		"img": "https://archive.orkl.eu/14cc938b28cf45badecfbd417f9aba63c4f12058.jpg"
	}
}