Threat Intelligence Tarot
pentacles · 11
Criminal (multiple groups, decentralized)
G0056★★★★★
risk 4/5
✦ The Invisible Skimmer ✦
Magecart
Magecart Group 1-22 · JavaScript skimmer operators
E-commerce sitesBritish AirwaysTicketmasterNewegg380,000+ victim records
Active since ~2016 · E-commerce payment card theft, JavaScript injection, Third-party script compromise
The Invisible Skimmer inserts 22 lines of JavaScript into a checkout page. No one sees it. Every payment card submitted goes to the attacker's server before going to the merchant. Hundreds of thousands of cards, stolen at the moment of trust - when the customer types their number and clicks Buy.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆British Airways breach - 380,000 payment cards skimmed (2018)
- ◆Ticketmaster supply chain attack via third-party chatbot script
- ◆Newegg e-commerce compromise - payment page skimmer
- ◆Third-party JavaScript library compromise for downstream skimming
Defenses
- ▸Content Security Policy (CSP) headers to restrict script executionOWASP CSP
- ▸Subresource integrity (SRI) for third-party scriptsOWASP SRI
- ▸Third-party JavaScript vendor security assessmentNIST CSF: ID.SC ↗
- ▸E-commerce payment page integrity monitoringPCI DSS 6.4.3
Reversed: Their Weakness
British Airways was fined £20M by the UK ICO for the Magecart breach - not for being attacked, but for failing to implement adequate security measures that would have detected or prevented the skimmer. Regulatory consequence created market pressure for better e-commerce security.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.