LIVE_FEED

--:--:--[HIGH]shop-***-deals.com→Magecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.net→Drive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.io→Obfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.co→Credential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.org→Malicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.com→FakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.app→Unauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ru→Drive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyz→C2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shop→Affiliate cloaking + cookie stuff// US-CENTRAL--:--:--[HIGH]shop-***-deals.com→Magecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.net→Drive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.io→Obfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.co→Credential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.org→Malicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.com→FakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.app→Unauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ru→Drive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyz→C2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shop→Affiliate cloaking + cookie stuff// US-CENTRAL

← назад към блога

Detection2026-05-118 мин. четене

Detecting Magecart Skimmers in 2026: What Changed After Group 12

Modern card-skimmers are no longer found in obvious <script> tags. Here's how we detect them inside service workers, WASM blobs, and lazy-imported chunks.

For most of the last decade, Magecart detection was an exercise in string matching. Find an inline <script> making a POST to a newly registered .top domain; alert and move on.

The playbook has shifted. Since late 2024 the dominant pattern we see in our pipeline is a payment-page skimmer registered inside a service worker, fed by an innocuous-looking analytics.js wrapper, and activated only after a fingerprint check confirms the visitor is not a headless browser.

To catch this variant, our crawler launches a fully instrumented Chromium with service-worker hooks, performs a synthetic checkout, and records every fetch initiator in the resulting page tree. The skimmer fires exactly once per realistic-looking session — and we see it because we look like a real session.

If you run an e-commerce store, the practical takeaway: signature-based WAFs cannot detect this. You need in-browser execution monitoring that can survive the attacker's anti-analysis checks.

свързани_статии

Threat Intelligence

Anatomy of the 'Fake CAPTCHA → ClickFix' Lure

Why We Settled on a 5-Minute Scan Interval (Not 1 Minute)