Magecart and formjacking attacks: How they affect e-Commerce

Online shopping is one of the most common methods of purchasing today. Millions of transactions are carried out daily, which is why ensuring the integrity and security of users’ personal and financial data is so important. However, just as cybersecurity measures continue to evolve, so do cyberattacks. In this context, Magecart attacks, also known as formjacking attacks, have emerged as one of the most persistent and sophisticated threats targeting online stores and payment platforms.

What is magecart and why does it pose a critical threat to e-Commerce?

How does a magecart attack work?

The modus operandi of Magecart attacks is based on formjacking, a technique that involves injecting malicious JavaScript code into a website’s payment forms. This code acts as a data sniffer, capturing all the information entered by users before it is encrypted or sent to the legitimate server.

What’s most alarming is that this activity happens completely invisibly to the end user, who completes their purchase without suspecting that their data has been intercepted and sent to a server controlled by the attacker.

There are several vectors through which attackers can inject the malicious code:

• Direct compromise of the web server: By gaining access to the site’s backend, attackers modify source files directly, especially those related to the checkout process.

• Attacks on third-party providers: Many online stores rely on third-party libraries and scripts, such as analytics tools, live chat, or marketing solutions. If any of these providers are compromised, the attacker can inject code into multiple websites simultaneously.

• Cross-site scripting (XSS): In some cases, an XSS vulnerability can be exploited to inject scripts without needing to compromise the server itself.

Why is a formjacking attack so hard to detect?

Formjacking scripts are specifically designed to go unnoticed by both users and traditional security teams. They are often obfuscated, delivered from legitimate or spoofed domains, and frequently use advanced techniques like polyglot scripting to evade detection mechanisms.

In addition, these scripts don’t interfere with the functionality of the webpage; they simply replicate the data submission process and silently send a copy of the entered information to an attacker-controlled server.

What are the consequences of a magecart attack for a company?

The damage caused by a Magecart attack can be both severe and far-reaching:

• Loss of sensitive customer data, which can lead to identity theft and financial fraud.

• Significant reputational damage, resulting in loss of trust from customers and business partners.

• Legal penalties for non-compliance with regulations such as the General Data Protection Regulation (GDPR), especially if the company lacks proper technical and organizational measures to protect the data.

• Operational costs related to incident response, forensic audits, compensation, and urgent security upgrades.

How to detect and prevent formjacking attacks

Detecting and preventing Magecart attacks requires an integrated, multi-layered approach that combines technological tools, auditing procedures, and awareness among the technical team.

File integrity monitoring (FIM)

Implementing File Integrity Monitoring solutions helps detect any unauthorized changes to critical website files. This technique is especially useful for spotting suspicious modifications in JavaScript files or form templates. 

Review and audit of third-party scripts

It’s essential to maintain an up-to-date inventory of all third-party resources loaded on the site and to enforce Content Security Policy (CSP) rules to restrict the origin of executable scripts.

Script behavior analysis

Security solutions based on machine learning and behavioral analysis can detect abnormal patterns in web traffic or script execution, even when the code is obfuscated.

Sandboxing and test environments

Using isolated (sandbox) environments for updates and testing before deploying to production is recommended, as it helps verify that no vulnerabilities or malicious scripts have been introduced.

Outbound network traffic monitoring

How to prevent magecart and formjacking attacks in e-Commerce

At ESED, as cybersecurity specialists, we offer a range of cybersecurity services and solutions tailored to the retail sector to help prevent these types of threats:

Endpoint protection and XDR/MDR for immediate detection and containment

ESED provides a fully managed cybersecurity solution with a fixed monthly fee that delivers proactive 24/7 protection. Our model includes advanced technologies such as XDR and MDR, and when necessary, mobile device management (MDM), all integrated into a holistic defense approach.

Thanks to this managed environment, a Magecart attack, characterized by the injection of malicious code into payment forms, can be detected at early stages, even if the code is obfuscated or comes from a third-party script. This is made possible by ESED’s continuous endpoint monitoring and analysis of suspicious.

Initial audit and pentesting with ESED Attack

Before deploying any solution, we conduct a comprehensive security audit through our ethical hacking service, known as ESED Attack. This includes penetration testing and controlled simulations designed to identify real-world gaps and specific attack vectors—including vulnerabilities that could allow script injection into web forms.

This approach assesses the level of exposure to formjacking-type attacks, enabling proactive defense reinforcement before an actual breach occurs.

Active Threat Hunting and continuous monitoring

Once systems are deployed, we carry out ongoing Threat Hunting activities that is, the proactive search for threats that may have bypassed traditional security controls. This strategy enables the detection of malicious scripts or unusual behavior, such as outbound connections to suspicious domains or unexpected modifications to JavaScript files on the website.

Continuous monitoring also includes automatic security updates, which are essential to prevent compromised scripts from exploiting unpatched vulnerabilities.

Backups, secure passwords, and device management

We also offer services such as secure backups (cloud-based and following the 3-2-1 rule), secure password management, and control of corporate mobile devices through MDM (Mobile Device Management).

In the event of a Magecart attack, having a clean and up-to-date backup is critical for restoring website integrity without data loss and for identifying when and how the infection occurred.

Data Leak Prevention with WWatcher

We provide a proprietary tool called WWatcher, designed to monitor how users interact with sensitive data within the organization. It detects downloads or movements that could indicate a massive data leak.

While it doesn’t act directly within the customer’s browser during a purchase, this solution helps identify suspicious internal behavior, ensuring that even if an attacker manages to exfiltrate data from the frontend, there are no internal channels that could facilitate its misuse or exposure.

What to do if your site has fallen victim to Magecart

1. Isolate the compromised system: Prevent the site from continuing to collect data by temporarily disconnecting the platform or disabling payment forms.

2. Notify the relevant authorities: In compliance with GDPR, any security breach must be reported to the AEPD within the first 72 hours.

3. Conduct a forensic analysis: Identify the attack vector, assess the scope of the breach, and collect evidence.

4. Inform affected users: If data has been compromised, notify customers so they can take preventive measures, such as blocking their cards.

5. Review and implement new security measures: This includes applying patches, adding additional controls, and validating code integrity.

Magecart attacks and formjacking are clear examples of how attackers have evolved toward increasingly sophisticated techniques that don’t require direct server exploitation, but instead take advantage of client-side or third-party vulnerabilities.

For companies operating in the digital space, especially in e-commerce, implementing advanced security measures is not optional it is a critical necessity. Protection must extend beyond the server perimeter and cover all attack vectors, including third-party scripts, browser execution, and continuous monitoring.

In an environment where user trust is as valuable as the data they provide, investing in security is investing in digital sustainability.