Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Magecart Hackers Exploit 100 Domains to Steal Card Data

Magecart Hackers Exploit 100 Domains to Steal Card Data

Posted on April 1, 2026 By CWS

A Pervasive Threat to E-commerce Security

An intricate Magecart campaign has been covertly targeting e-commerce platforms in at least 12 nations for over two years. Utilizing more than 100 malicious domains, this operation aims to pilfer payment card details in real time. The financial burden primarily falls on banking institutions rather than the merchants themselves.

Security experts from ANY.RUN have revealed this large-scale operation, which has compromised at least 17 WooCommerce websites from February 2024 to April 2025. This organized cybercrime syndicate’s infrastructure spans a significant number of domains, indicating a high level of planning and investment.

Widespread Impact Across Multiple Countries

The campaign has affected victims mainly in the UK, Denmark, France, Spain, and the US, with Spain particularly impacted due to the exploitation of the Redsys payment system. While e-commerce platforms are directly targeted, banks and cardholders experience the brunt of the financial fallout, which includes fraud losses and diminished trust in digital payments.

ANY.RUN advocates for businesses to gain early insight into such threats to minimize potential damage. Integrating their solutions into Security Operations Centers (SOC) is suggested to mitigate risks effectively.

Deceptive Tactics and Techniques

The attackers employ a complex, multi-layered infection process to evade detection and removal. Once a WooCommerce site is compromised, a small obfuscated JavaScript loader is injected into existing scripts, remaining inactive until the payment stage is reached by users.

This loader, devoid of direct card-stealing capabilities, connects to external servers to retrieve further malicious payloads. A fallback system ensures the operation’s continuity by cycling through backup domains if the primary ones are inaccessible.

By replacing genuine payment buttons with counterfeit ones, the operation remains undetected for extended periods. Scripts mimic trustworthy web services, such as jQuery and analytics platforms, to capture user data.

Advanced Impersonation and Mobile Expansion

The campaign’s hallmark is its ability to convincingly imitate legitimate payment service providers. The Redsys system is frequently impersonated, with attackers incorporating its domain into their workflow to enhance credibility.

Beyond desktop platforms, the operation extends to mobile devices, utilizing malicious payloads to distribute Android APK files. This vector prompts users to download apps under the guise of discounts, further expanding the campaign’s reach.

Security teams are urged to prioritize monitoring WebSocket connections from checkout pages, enforce strict Content Security Policies, and conduct regular audits of third-party scripts. Financial institutions should focus on threat intelligence sharing and bolstering fraud detection for card-not-present transactions to counteract these persistent threats.

Engage in free malware research with ANY.RUN to safeguard your business today.

Cyber Security News Tags:ANY.RUN, card data theft, Cybercrime, Cybersecurity, ECommerce, financial institutions, JavaScript, Magecart, Malware, online security, payment fraud, Redsys, security researchers, WebSocket, WooCommerce

Post navigation

Previous Post: DeepLoad Malware Spreads via ClickFix Attacks
Next Post: Phishing Campaign Impersonates CERT-UA to Spread Malware

Related Posts

Android Remote Data-Wipe Malware Attacking Users Leveraging Google’s Find Hub Android Remote Data-Wipe Malware Attacking Users Leveraging Google’s Find Hub Cyber Security News
Microsoft October 2025 Patch Tuesday – 4 Zero-days and 172 Vulnerabilities Patched Microsoft October 2025 Patch Tuesday – 4 Zero-days and 172 Vulnerabilities Patched Cyber Security News
ScriptCase Vulnerabilities Let Attackers Execute Remote Code and Gain Server Access ScriptCase Vulnerabilities Let Attackers Execute Remote Code and Gain Server Access Cyber Security News
Windows Servers Face Reboot Issues After April Update Windows Servers Face Reboot Issues After April Update Cyber Security News
Pure Crypter Employs Multiple Evasion Techniques To Bypass Windows 11 24H2 Security Features Pure Crypter Employs Multiple Evasion Techniques To Bypass Windows 11 24H2 Security Features Cyber Security News
List of AI Tools Promoted by Threat Actors in Underground Forums and Their Capabilities List of AI Tools Promoted by Threat Actors in Underground Forums and Their Capabilities Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Malware Chain Exploits Blogger to Deploy PureLogs Stealer
  • Critical Fluentd Vulnerabilities Threaten System Security
  • Teen Hacker Extradited to U.S. for Cybercrime Charges
  • Tackling Alert Fatigue: Boost SOC Efficiency with Smart Strategies
  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Malware Chain Exploits Blogger to Deploy PureLogs Stealer
  • Critical Fluentd Vulnerabilities Threaten System Security
  • Teen Hacker Extradited to U.S. for Cybercrime Charges
  • Tackling Alert Fatigue: Boost SOC Efficiency with Smart Strategies
  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark