Skip to main content

When one magecart attack isn't enough; three attacks, one website - July 29, 2025

  • Updated
header1

SOURCE DEFENSE RESEARCH INTELLIGENCE NEWS 

July 29, 2025

ChatGPT Image Jul 29, 2025, 11_05_24 AM

WHEN ONE MAGECART ATTACK ISN’T ENOUGH: THREE ATTACKS, ONE WEBSITE

 

The Source Defense Research Team has uncovered a rare and dangerous scenario: Three distinct Magecart campaigns attacking the same Australian e-commerce website at the same time.


This finding underscores a troubling trend: once a website is compromised, it can become a battleground for multiple criminal groups, all attempting to skim customer payment data simultaneously.

The three attacks

 

1. Magecart script loaded from WebSocket
 

How it works:

  • Injected code opens a WebSocket to jgueurystatic[.]xyz.
  • The Magecart script is delivered via an incoming WebSocket message.
  • Stolen payment data is sent back using an XHR request to the same domain.

Scope: 

  •   Found active on ~25 websites worldwide.

 

 2. 3rd-party Magecart script

 

How it works:

  • Loads a Magecart script directly from the 3rd party domain worksgethub[.]com.
  • After capturing payment details, the script exfiltrates data via a GET request disguised as a script request to the same domain.
     

Scope: 

  • Found active on 5 e-commerce websites.
     

 2. Inline 1st-party Magecart script exfiltrates data to compromised legitimate domains

 

How it works: 

  • Malicious code is placed inline within a first-party script.
  • Captures payment data and sends it to both altraxpart[.]be and avrelibeds[.]com.  Seemingly legitimate domains  that were compromised by the attacker

Scope:

  • Found active on over 250 e-commerce websites worldwide

A Hidden Tug-of-War for Stolen Data 

 

On the compromised Australian site, all three skimming campaigns activated simultaneously. Surprisingly, the first two attacks overrode and blocked the data-stealing methods of the third attack, meaning that only those first two groups were actively exfiltrating data.

 

However, after our research team isolated and neutralized the first two attacks, the third skimmer immediately activated and began stealing data—confirming that multiple groups were competing for the same sensitive information.

Why this matters

 

This finding illustrates three key realities:

  1. One breach invites more.
    A compromised site often becomes a soft target for multiple groups.
     
  2. First-party trust isn’t enough.
    Attack #3 shows that attackers can plant malicious code directly inside trusted first-party scripts.
     
  3. Traditional security tools can’t untangle this mess.
    Multiple concurrent attacks can hide each other, making detection and forensic analysis extremely difficult without behavior, real-time monitoring.

 

How Source Defense protects you
 

 

For Protect customers, these attacks from 3rd party scripts are automatically blocked.

For Detect users, our platform provides alerts when:

  • Scripts load from blacklisted domains (e.g., jgueurystatic[.]xyz, worksgethub[.]com, altraxpart[.]be, avrelibeds[.]com)
  • Sensitive data is sent to blacklisted destinations
  • Unauthorized scripts access PCI and PII input fields 

These alerts appear in the bell notification center, the ‘Found in blacklists’ widget, and the dashboard summary.

Summary

 

Three Magecart campaigns fighting over one checkout page—while customers remain unaware—demonstrate just how ferocious and competitive the skimming ecosystem has become.


The takeaway is clear: focusing on one attack type at a time isn’t enough. Only a comprehensive, proactive solution can protect customers against multiple, simultaneous threats.

 

Need more insights? Contact us at: support@sourcedefense.com

For the latest cyber research news, follow us at https://x.com/sdcyberresearch

X
LinkedIn
Facebook
Website

Source Defense, 470 James Street, Suite 007, New Haven, CT 06902

Unsubscribe Manage preferences