A new Magecart campaign is making waves

A new Magecart campaign is making waves

Malwarebytes’ researchers are closely monitoring web skimmers and have noticed that one of the infamous Magecart groups is causing a rise in the number of attacks while gobbling up over a quarter of the total number of attacks in one campaign.

What all these attacks have in common is the domain where the malicious javascript is hosted: naturalfreshmall.com. Additional research by Sansecshows a mass breach of stores running the Magento 1 ecommerce platform that can be tied to this campaign.


Magento is an Adobe company that offers a hosted and self-hosted content management system (CMS) for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows specialists to create extensions for the CMS.

Magento 1 has reached end-of-life (EOL) and has not been supportedsince June 30, 2020. However, the platform is still in use by thousands of online stores. And because there’s a lack of security patches from Adobe, some are using community-provided patches. As you can imagine, the lack of vendor provided patches makes stores running Magento 1 popular victims for skimmers like Magecart.


Magecart was originally one group that was partly named after the platform they concentrated on (Magento). But Magecart is no longer just one threat actor. We’ve seen several groups that are all specialized in cyberattacks involving digital credit card theft by skimming online payment forms. Magecart mainly targets e-commerce websites, aiming to inject JavaScript skimmers on checkout pages.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the web properties used to serve skimmers and exfiltrate stolen data.

In recent news we reported about the Segway online storethat was compromised by Magecart group 12 who embedded the skimmer code inside a favicon.ico file.

The attack

According to the Sansec researchthe skimmers abused a known leak in the Quickview plugin that is typically used to inject rogue Magento admin users. In this case, the skimmers used it to add a validation rule that they could later trigger by registering as a customer. In investigated cases the attacker left no less than 19 backdoors on the system.

Keeping your site safe

We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:

  • Make sure that the systems from where the site is administered are clean of malware.
  • Use strong passwords and do not reuse them.
  • Limit the number of administrators.
  • Keep your site’s software updated.
  • Use a Web Application Firewall (WAF).
  • Know that each dependency is a potential backdoor into your web pages.
  • Use a Content Security Policy(CSP).
  • Make sure you are made aware in case of problems, either by checking yourself or by having it done for you.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.