Skip to main content

Magecart as a national security issue - March 11, 2025

  • Updated
header1

SOURCE DEFENSE RESEARCH INTELLIGENCE NEWS 

March 11, 2025

MAGECART AS A NATIONAL SECURITY ISSUE

 

Magecart targets NYC Police Department and Federal Bureau of Prisons employees via merchants selling uniforms

 

Governments invest heavily in security, but what happens when hackers exploit the private industry that serves government agencies?

 

The Source Defense Research Team discovered an alarming attack—not only stealing credit card information but, more critically, harvesting personally identifiable information (PII) of security officials, potentially a national security issue.

 

This attack remained active for at least a year; once Source Defense notified the authorities, it was promptly removed. The malicious script was found across four websites under the same ownership, all selling uniforms to government personnel.

 

These websites required officials to use their official government email addresses (see exhibit A below) while also collecting sensitive details such as full name, address, and phone number—on top of credit card information necessary for purchases.

 

Attack details

 

The Madgecart script was simply loaded from the website page itself; no obfuscation or advanced hiding techniques like we saw in the attack leveraging the Stripe API published in last week’s edition. 

 

See exhibit B to see how the Madgecart script appeared on one of their web pages.

 

Exhibit C shows how the madgecart scripts sends both the personally identifiable information and credit card details to the malicious domain; these screenshots were taken from when the attack was live.

 

How does Source Defense protect you from such attacks?

 

When a blacklisted script loads on a website protected by Source Defense, a block policy will be sent for this script. 

 

Customers using our Detect product will receive alerts and must manually block the script. 

 

Regardless, our dedicated Professional Services Team proactively reaches out to affected customers, even for those using our auto-accept policy, which automatically enforces blocking measures.

 

How will you be alerted?

 

When such a malicious script would be loaded to a site with Source Defense, it would send the following alerts: 

 

  • New script identified - an unidentified/suspicious script
  • New behaviors identified:
    ○ Accessing PCI data
    ○ Accessing PII data
    ○ Loading script from blacklisted domain
    ○ Sending data to blacklisted domain

These alerts would be prominently displayed in:

  • The bell notification center 
  • The dashboard summary - marked in red
  • The 'Found in blacklists' and 'Script behaviors' widgets with suspicious activity, both highlighted in red

Keep in mind that these flagged domains may not yet appear on external blacklists, but our system proactively detects and classifies them as blacklisted.

 

For any further clarification, reach out to support@sourcedefense.com.

 

Exhibit A
Exibit

Exhibit B
Exibit c

Exhibit C
Exibit b-1

 

Any questions? Contact us at: support@sourcedefense.com

For the latest cyber research news, follow us at https://x.com/sdcyberresearch

 
X
LinkedIn
Facebook
Website

Source Defense, 470 James Street, Suite 007, New Haven, CT 06902

Unsubscribe Manage preferences

Related articles