At ChameleonX we deal with many cases of client-side data breach attacks, carried out seamlessly by fraudsters. These client-side fraudulent endeavors are triggered by a simple single-line script tag embedded to the body of the website, in pages where sensitive information resides.

Compromised Customer Credit Cards, Worldwide

A few days ago, our research led us to discover 11 different Magento e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them. The attacks are rather similar to one another and apparently belong to the same notorious Magecart group: sharing C2 servers and reused code.

Some of the websites in the list have monthly traffic of 100K-300K unique visitors (One of them an Amazon Best-Selling company), and belong to SMB/Mid market companies of dozens to hundreds of employees. We will not uncover the names of these companies due to obvious reasons, but you can rest assured we contacted all of them and most have already removed the credit card skimming malware.

our research led us to discover 11 different e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them.

Estimated monthly visits of an infected e-commerce site (stats by SimilarWeb.com)

Data Exfiltration with a Disguise

The operation we discuss in this post, uses lookalike domains for the C2 servers, in order to maintain a low footprint and evade detection by website owners and users. The analyzed attacks used domains camouflaged as services such as:

  • Google Analytics
  • Google Tag Manager
  • Bootstrap
  • React


Exfiltrated credit card data from a large e-commerce website, infected with a Magecart card skimmer, sent to the fraudster’s C2 server

Card skimmer Javascript code

You get the picture.. Imagine inspecting your website’s network traffic and seeing an outgoing request with a domain like googletagmaanager.com – if you’re not actively looking for a threat, you’d probably assume it’s just a legit request from your GTM library right?

The C2 Endpoint

Once the compromised e-commerce websites have been identified, we started to look into the C2 servers themselves, to see what intelligence we could get our hands on. The C2 server is where attackers fetch the remote Javascript injection from and the place they report back with the stolen data (victim’s personal details, credentials, credit card data and more).

One of the core principals of research is persistence. You need to be committed to what you do and analyze many different attacks until the answer is found. Following many attempts, researchers at ChameleonX have managed to gain access to the shell PHP script used by Magecart fraudsters for remote code execution and modification of website resources such as Javascript libraries and HTML files.

Real Magecart Webshell backdoor script obtained from a C2 server


An illustration of a code injection attack flow

Attackers leverage different vulnerabilities to exploit websites with this shell. After deploying it to the exploited website and obtaining the remote access URL, fraudsters are basically able to control most aspects of the server, allowing them to inject malicious code to client-side runtime, modifying the site that is served to end users.


ChameleonX is a cybersecurity startup company, developing a unique AI-based client-side protection solution for the eCommerce, Travel and Financial sectors to protect businesses from zero-day attacks, compromised 3rd-party resources, web vulnerabilities and malware code injections. Learn more about how we can protect your company from becoming the next big data breach news story.