Github-hosted Magecart Card Skimmer Injected on GitHub Compromises Thousands of E-commerce Sites

Attackers compromised almost 2,400 e-commerce websites installed via Magento since early April to inject Github-hosted Magecart Card Skimmer script.

The Magecart card skimmer script, obfuscated with a hexadecimal encoding, was uploaded to Github on April 20 by a user who goes by the name ‘momo33333’.

Once the fraudulent use of GitHub service to infect Magento sites came into the light, Github immediately took down the skimmer script.

But, it is to be noted that the attackers behind this MageCart campaign can easily inject a new skimmer script hosted on servers they control or on other legitimate hosting services.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers,” said Jerome Segora, a security researcher from Malwarebytes.

According to other sources from urlscan.io and PublicWWW scans, there are over hundreds of compromised websites with links to GitHub-hosted MageCart card skimmer. It was only last year that a larger MagentoCore skimming campaign infected more than 7000 Magento stores.