New Magecart Attack Used a Compromised Advertising Agency to Deliver Its Payload


Fully [H]
Apr 10, 2003
Magecart Group 12 is suspected of compromising an ad agency that delivers advertising to eCommerce websites. By directly injecting payment skimming code into JavaScript libraries provided by French online advertising company, Adverline to its eCommerce customers, it enabled all websites embedded with the script to load the skimming code. Thus the group was able to steal payment information from consumers by infecting a 3rd party website. This allows the Magecart groups to expand their reach and pilfer more data. Once information is entered into a webpage's typing form, the script will copy the information and it is stored until the victim closes the webpage. At that point, the information is sent to a remote server.

In Adverline's case, code was injected into a JavaScript library for retargeting advertising. It's an approach used by e-commerce websites where visitors are tagged so they can be delivered specific ads that could attract them back to the websites. At the time of our research, the websites embedded with Adverline's retargeting script loaded Magecart Group 12's skimming code, which, in turn, skims payment information entered on webpages then sends it to its remote server.


Mawd Gawd
Oct 25, 2000
Why do a shopping website need to display adverts in the first place?

Dead Parrot

Mar 4, 2013
Wait. You mean that running un-vetted 3rd party scripts that in turn run more un-vetted third party scripts isn't a safe thing for sites handling money to be doing as part of normal business? Shocking!
  • Like
Reactions: PaulP
like this