{ "id": "7dac6ec6-d89e-4df0-83dc-2fb8247f75ff", "created_at": "2026-04-06T00:16:34.307086Z", "updated_at": "2026-04-10T03:24:11.677734Z", "deleted_at": null, "sha1_hash": "be19101834cd02b71e494feb1a1d48eb989c5eb3", "title": "Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2992202, "plain_text": "Magecart Group Compromises Plugin Used in Thousands of Stores,\r\nMakes Rookie Mistake\r\nBy Ionut Ilascu\r\nPublished: 2018-10-09 · Archived: 2026-04-02 11:29:41 UTC\r\nA group behind recent Magecart campaigns made a mistake that could have cost thousands of web stores the payment card\r\ndata of their customers when they checked out.\r\nThe cybercriminals managed to compromise the popular Shopper Approved plugin used by online merchants to collect\r\ncustomer reviews and ratings. The plugin helps increase visibility by displaying the reviews in strategic locations through\r\nadvertising networks from Google or Microsoft.\r\nSecurity researchers from digital risk management company RiskIQ received an alert on September 15 from their systems\r\nfor positive identification of the Magecart skimming code in the certificate.js script of the Shopper Approved seal code.\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe investigation revealed that the attackers injected the code without applying any obfuscation, which made it easy to\r\ndetect and identify. Aware of the mistake, they returned about 15 minutes later and modified the skimmer to hide it.\r\nDeobfuscated Magecart card-skimming script\r\nThis blunder, although minor, was enough to let researchers view the clean code without having to resort to deobfuscation\r\ntechniques.\r\nObfuscated code, 15 minutes later\r\nOf note is the drop server set up by the attackers to receive the payment card data, which is the same used in the Feedify\r\nhack, a month ago.\r\nRiskIQ used several channels of communication to alert Shopper Approved of the compromise and help them mitigate the\r\nissue. Two days later, the skimmer code was removed from the store review widget. An investigation was also started to\r\nlearn the source of the compromise.\r\n“While Shopper Approved is active on thousands of websites, only a small fraction of their clients were impacted,” RiskIQ\r\nsays in a report shared with BleepingComputer in advance.\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/\r\nPage 3 of 4\n\nShopper Approved identified clients that loaded the compromised script and contacted them to help remediate the issues.\r\nAt least seven groups associated with Magecart campaigns\r\nMagecart is the term used for multiple groups that either compromise shopping websites directly or go further up the stream\r\nand infect plugins used by a large number of online stores, in an attempt to score big.\r\nAt the moment, RiskIQ distinguishes between seven groups, some of them responsible for the Ticketmaster, British\r\nAirways, Feedify, and Newegg breaches.\r\nThe recommendation from the experts is to remove third-party code from checkout pages. Many payment service providers\r\nhave already adopted this practice, RiskIQ informs.\r\nThe Magecart threat is unlikely to disappear any time soon. In fact, a sharp increase in the number of attacks has been\r\nspotted in September by multiple security outfits.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/" ], "report_names": [ "magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434594, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be19101834cd02b71e494feb1a1d48eb989c5eb3.pdf", "text": "https://archive.orkl.eu/be19101834cd02b71e494feb1a1d48eb989c5eb3.txt", "img": "https://archive.orkl.eu/be19101834cd02b71e494feb1a1d48eb989c5eb3.jpg" } }