Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Magecart Hackers Exploit 100 Domains to Steal Card Data

Magecart Hackers Exploit 100 Domains to Steal Card Data

Posted on April 1, 2026 By CWS

A Pervasive Threat to E-commerce Security

An intricate Magecart campaign has been covertly targeting e-commerce platforms in at least 12 nations for over two years. Utilizing more than 100 malicious domains, this operation aims to pilfer payment card details in real time. The financial burden primarily falls on banking institutions rather than the merchants themselves.

Security experts from ANY.RUN have revealed this large-scale operation, which has compromised at least 17 WooCommerce websites from February 2024 to April 2025. This organized cybercrime syndicate’s infrastructure spans a significant number of domains, indicating a high level of planning and investment.

Widespread Impact Across Multiple Countries

The campaign has affected victims mainly in the UK, Denmark, France, Spain, and the US, with Spain particularly impacted due to the exploitation of the Redsys payment system. While e-commerce platforms are directly targeted, banks and cardholders experience the brunt of the financial fallout, which includes fraud losses and diminished trust in digital payments.

ANY.RUN advocates for businesses to gain early insight into such threats to minimize potential damage. Integrating their solutions into Security Operations Centers (SOC) is suggested to mitigate risks effectively.

Deceptive Tactics and Techniques

The attackers employ a complex, multi-layered infection process to evade detection and removal. Once a WooCommerce site is compromised, a small obfuscated JavaScript loader is injected into existing scripts, remaining inactive until the payment stage is reached by users.

This loader, devoid of direct card-stealing capabilities, connects to external servers to retrieve further malicious payloads. A fallback system ensures the operation’s continuity by cycling through backup domains if the primary ones are inaccessible.

By replacing genuine payment buttons with counterfeit ones, the operation remains undetected for extended periods. Scripts mimic trustworthy web services, such as jQuery and analytics platforms, to capture user data.

Advanced Impersonation and Mobile Expansion

The campaign’s hallmark is its ability to convincingly imitate legitimate payment service providers. The Redsys system is frequently impersonated, with attackers incorporating its domain into their workflow to enhance credibility.

Beyond desktop platforms, the operation extends to mobile devices, utilizing malicious payloads to distribute Android APK files. This vector prompts users to download apps under the guise of discounts, further expanding the campaign’s reach.

Security teams are urged to prioritize monitoring WebSocket connections from checkout pages, enforce strict Content Security Policies, and conduct regular audits of third-party scripts. Financial institutions should focus on threat intelligence sharing and bolstering fraud detection for card-not-present transactions to counteract these persistent threats.

Engage in free malware research with ANY.RUN to safeguard your business today.

Cyber Security News Tags:ANY.RUN, card data theft, Cybercrime, Cybersecurity, ECommerce, financial institutions, JavaScript, Magecart, Malware, online security, payment fraud, Redsys, security researchers, WebSocket, WooCommerce

Post navigation

Previous Post: DeepLoad Malware Spreads via ClickFix Attacks
Next Post: Phishing Campaign Impersonates CERT-UA to Spread Malware

Related Posts

Chinese Hackers Actively Attacking Taiwan Critical Infrastructure Chinese Hackers Actively Attacking Taiwan Critical Infrastructure Cyber Security News
Claude Desktop Raises Privacy Concerns with Browser Integration Claude Desktop Raises Privacy Concerns with Browser Integration Cyber Security News
OpenAI Releases GPT-5.1-Codex-Max that Performs Coding Tasks Independently OpenAI Releases GPT-5.1-Codex-Max that Performs Coding Tasks Independently Cyber Security News
Phishing Emails Spread VIP Keylogger Malware Phishing Emails Spread VIP Keylogger Malware Cyber Security News
Google Chrome 0-Day Vulnerability Actively Exploited in the Wild Google Chrome 0-Day Vulnerability Actively Exploited in the Wild Cyber Security News
Ivanti Releases Security Patches for Multiple Products Ivanti Releases Security Patches for Multiple Products Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Teen Hacker Extradited to U.S. for Cybercrime Charges
  • Tackling Alert Fatigue: Boost SOC Efficiency with Smart Strategies
  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover
  • Microsoft 365 Under Attack: 81 Million Login Attempts Recorded
  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Teen Hacker Extradited to U.S. for Cybercrime Charges
  • Tackling Alert Fatigue: Boost SOC Efficiency with Smart Strategies
  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover
  • Microsoft 365 Under Attack: 81 Million Login Attempts Recorded
  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark