{
	"id": "8778b078-bbea-4806-a0ba-8c2c5db0c188",
	"created_at": "2026-04-06T00:09:31.174388Z",
	"updated_at": "2026-04-10T03:24:11.837606Z",
	"deleted_at": null,
	"sha1_hash": "c837699eefecc3ce1b59533cac86de5e19f2de1c",
	"title": "Closing in on MageCart 12 – Max Kersten",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82323,
	"plain_text": "Closing in on MageCart 12 – Max Kersten\r\nPublished: 2020-02-23 · Archived: 2026-04-05 19:40:02 UTC\r\nThis is the fourth blog with details on the activities of MageCart 12. In this article, yet another part of their\r\nongoing campaign is uncovered. The amount of infected sites for this campaign is higher than in the previous\r\ncases.\r\nBefore diving into the infected sites, and the rough duration of the infections, information regarding the skimmer\r\nitself will be given.\r\nModus operandi\r\nThe modus operandi for this campaign is slightly different when comparing it to the other research that has been\r\npublished so far. The skimmer, hosted on jquerycdn.su, changed four times during the campaign. The earliest\r\nrecorded date of a hacked site linking to the skimmer domain is on the 30th of September 2019, whereas the latest\r\nnew infection date is the 19th of February 2020.\r\nIn the four versions of the skimmer that were used in this campaign, the used obfuscation method is the same as in\r\nthe other reported campaigns. The first stage loads the actual skimmer script, which is polluted with garbage code.\r\nThe skimmer itself is different, compared to the first versions. The skimmer grabs all fields from the page, rather\r\nthan all forms. Although the approach and script are different, the general concept remains the same: obtaining\r\ncredit card credentials.\r\nThe exfiltration domains are linked to other skimming campaigns from MageCart 12, like the one Marco Ramilli\r\nwrote about, as well as Jacob‘s blog.\r\nInfected web shops\r\nAll but three affected web shops have been contacted via e-mail or their web form on the 21st of February 2020.\r\nFor each of the three uninformed web shops, there is a note in the list with the reason why. Similar to previous\r\ncases, I did not receive any response back at the time of writing (which is the 25th of February 2020).\r\nThe given dates are based upon the data set I created. This set is, by definition, not 100% accurate. As such, the\r\nactual dates might slightly differ. Additionally, it is possible that a website was not infected for the complete time\r\nbetween the begin and the end date, but this information is not present in my data set.\r\nThe mentioned dates are based upon the most accurate information from the data set and limited to this skimmer\r\ndomain. Some sites are infected with another domain that is operated by the same group. To avoid confusion and\r\nkeep things clear, this has not been included in this post.\r\nNote that the skimmer domain (jquerycdn.su) has been down for a few days at least. This means that several sites\r\nthat are still infected, are currently not actively sharing credit cards with the criminal actors, but this is subject to\r\nchange at any given moment.\r\nhttps://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/\r\nPage 1 of 3\n\nThe list below is ordered from the past until the present, meaning the oldest infections are listed first. The end date\r\nis not taken into account at the sorting.\r\nBioPets was infected from the 30th of September 2019 and the infection is ongoing until now. The location\r\nwhere the skimmer is hosted right after that is different compared to the initial skimmer.\r\nWellspring Wholesale was infected from the 30th of September 2019 until the 9th of February 2020.\r\nWellspring Customer was infected from the 30th of September 2019 until the 9th of Feburary 2020.\r\nD2D Organics was infected from the 30th of September 2019 until the first of November 2019. At some\r\npoint in time after that, the site went down. As such, there was no method to contact the owners of the\r\nwebsite.\r\nLoud Shirts USA was infected from the first of October 2019 until somewhere prior to the 9th of Feburary\r\n2020.\r\nNilima Home was infected from the first of October 2019 until the 9th of February 2020.\r\nSilk Naturals was infected from the first of October 2019 until the 16th of February 2020.\r\nJD’s Sound \u0026 Lighting was infected from the second of October 2019 until the 9th of February 2020.\r\nNilima Rugs was infected from the second of October 2019 until the 10th of February 2020.\r\nMartin Services was infected from the second of October 2019 until an unknown point in the future.\r\nThe Cheshire Horse was infected from the 6th of October 2019 until the 11th of December 2019.\r\nKl\u0026in More was infected on the 7th of October 2019. No more information is available.\r\nSchlaf Team was infected on the 17th of October 2019. No more information is available.\r\nThe Top Collection was infected from the 19th of October 2019 until at least the 25th of February 2020.\r\nSelaria Dias was infected from the 5th of November 2019 until the 21st of February 2020.\r\nTile was infected from the 13th of November 2019 until the 28th of January 2020.\r\nLiquorish Online was infected from the 13th of November 2019 until the 24th of November.\r\nStarting Line Products was infected on the 19th of November 2019. No more information is available.\r\nSport Everest was infected from the 20th of November 2019 until at least the 25th of February 2020.\r\nABC School Supplies was infected on the 26th of November 2019 until the 10th of February 2020.\r\nMotor Book World was infected on the 26th of November 2019 until the 22nd of February 2020.\r\nContadores Digital was infected on the second of December 2019. No more information is available.\r\nGiocattoli Negozio was infected on the 12th of December 2019 until at least the 25th of February 2020.\r\nAcademic Bag was infected on the 6th of January 2020. No more information is available.\r\nSoleStar was infected from the 11th of January 2020 until at least the 25th of February 2020.\r\nSurf Bussen Travel was infected from 17th of January 2020 until the 10th of January 2020.\r\nSurf Bussen Nu was infected on the 18th of January 2020. No more information is available.\r\nHaight Ashbury Music Center was infected on the 24th of January 2020 until the 18th of February 2020.\r\nAlas, the form on the website did not allow me to submit a message. Aside from that, there were no other\r\ncontact methods available. As such, I was not able to inform them.\r\nMyCluboots was infected from the 25th of January 2020 until at least the 25th of February 2020.\r\nSol’s Italia was infected on the 30th of January 2020. No more information is available.\r\nParkwood Middle School Bears was infected from the 31st of January 2020 until at least the 25th of\r\nFebruary 2020.\r\nVoltacon was infected from the 12th of February 2020 until the 25th of February 2020.\r\nhttps://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/\r\nPage 2 of 3\n\nPitcher’s Sports was infected on the 13th of February 2020 until at least the 25th of February 2020. Alas,\r\nthe only possible contact method was via a phone call. Since this was not an option for me, I could not\r\ncontact them.\r\nPowerhouse Marina was infected on the 13th of February 2020 until the 25th of February 2020.\r\nSukhi Rugs was infected on the 13th of February 2020. No more information is available.\r\nZooRoot was infected from the 14th of February 2020 until at least the 25th of February 2020.\r\nSukhi was infected on the 17th of February 2020. No more information is available.\r\nIntegral Yoga Distribution was infected on the 18th of February 2020 until at least the 25th of February\r\n2020.\r\nKitchen And Couch was infected on the 19th of February 2020 until the 25th of February 2020.\r\nConclusion\r\nIf you have shopped at one of the mentioned sites around the infected period, it is suggested to contact your bank\r\nand request a new credit card. Also note that all information that was entered on the site’s payment form was\r\nstolen by the credit card skimmer and should be considered compromised.\r\nTo contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on BlueSky @maxkersten.nl.\r\nSource: https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/\r\nhttps://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/\r\nPage 3 of 3\n\nBioPets where was infected the skimmer is from the 30th hosted right after of September that is different 2019 and the compared infection is to the initial ongoing until skimmer. now. The location\nWellspring Wholesale was infected from the 30th of September 2019 until the 9th of February 2020.\nWellspring Customer was infected from the 30th of September 2019 until the 9th of Feburary 2020.\nD2D Organics was infected from the 30th of September 2019 until the first of November 2019. At some\npoint in time after that, the site went down. As such, there was no method to contact the owners of the\nwebsite.       \nLoud Shirts USA was infected from the first of October 2019 until somewhere prior to the 9th of Feburary\n2020.       \nNilima Home was infected from the first of October 2019 until the 9th of February 2020. \nSilk Naturals was infected from the first of October 2019 until the 16th of February 2020. \nJD’s Sound \u0026 Lighting was infected from the second of October 2019 until the 9th of February 2020.\nNilima Rugs was infected from the second of October 2019 until the 10th of February 2020. \nMartin Services was infected from the second of October 2019 until an unknown point in the future.\nThe Cheshire Horse was infected from the 6th of October 2019 until the 11th of December 2019.\nKl\u0026in More was infected on the 7th of October 2019. No more information is available. \nSchlaf Team was infected on the 17th of October 2019. No more information is available. \nThe Top Collection was infected from the 19th of October 2019 until at least the 25th of February 2020.\nSelaria Dias was infected from the 5th of November 2019 until the 21st of February 2020. \nTile was infected from the 13th of November 2019 until the 28th of January 2020. \nLiquorish Online was infected from the 13th of November 2019 until the 24th of November. \nStarting Line Products was infected on the 19th of November 2019. No more information is available.\nSport Everest was infected from the 20th of November 2019 until at least the 25th of February 2020.\nABC School Supplies was infected on the 26th of November 2019 until the 10th of February 2020.\nMotor Book World was infected on the 26th of November 2019 until the 22nd of February 2020.\nContadores Digital was infected on the second of December 2019. No more information is available.\nGiocattoli Negozio was infected on the 12th of December 2019 until at least the 25th of February 2020.\nAcademic Bag was infected on the 6th of January 2020. No more information is available. \nSoleStar was infected from the 11th of January 2020 until at least the 25th of February 2020. \nSurf Bussen Travel was infected from 17th of January 2020 until the 10th of January 2020. \nSurf Bussen Nu was infected on the 18th of January 2020. No more information is available. \nHaight Ashbury Music Center was infected on the 24th of January 2020 until the 18th of February 2020.\nAlas, the form on the website did not allow me to submit a message. Aside from that, there were no other\ncontact methods available. As such, I was not able to inform them.   \nMyCluboots was infected from the 25th of January 2020 until at least the 25th of February 2020.\nSol’s Italia was infected on the 30th of January 2020. No more information is available. \nParkwood Middle School Bears was infected from the 31st of January 2020 until at least the 25th of\nFebruary 2020.      \nVoltacon was infected from the 12th of February 2020 until the 25th of February 2020. \n   Page 2 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/"
	],
	"report_names": [
		"closing-in-on-magecart-12"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434171,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c837699eefecc3ce1b59533cac86de5e19f2de1c.pdf",
		"text": "https://archive.orkl.eu/c837699eefecc3ce1b59533cac86de5e19f2de1c.txt",
		"img": "https://archive.orkl.eu/c837699eefecc3ce1b59533cac86de5e19f2de1c.jpg"
	}
}