- OpenCart websites were silently injected with malware that mimics trusted tracking scripts
- Script hides in analytics tags and quietly swaps real payment forms for fake ones
- Obfuscated JavaScript allowed attackers to slip past detection and launch credential theft in real time
A new Magecart-style attack has raised concerns across the cybersecurity landscape, targeting ecommerce websites which rely on the OpenCart CMS.
The attackers injected malicious JavaScript into landing pages, cleverly hiding their payload among legitimate analytics and marketing tags such as Facebook Pixel, Meta Pixel, and Google Tag Manager.
Exepers from c/side, a cybersecurity firm that monitors third-party scripts and web assets to detect and prevent client-side attacks, says the injected code resembles a standard tag snippet, but its behavior tells a different story.
Obfuscation techniques and script injection
This particular campaign disguises its malicious intent by encoding payload URLs using Base64 and routing traffic through suspicious domains such as /tagscart.shop/cdn/analytics.min.js, making it harder to detect in transit.
At first, it appears to be a standard Google Analytics or Tag Manager script, but closer inspection reveals otherwise.
When decoded and executed, the script dynamically creates a new element, inserts it before existing scripts, and silently launches additional code.
The malware then executes heavily obfuscated code, using techniques such as hexadecimal references, array recombination, and the eval() function for dynamic decoding.
The key function of this script is to inject a fake credit card form during checkout, styled to appear legitimate.
Once rendered, the form captures input across the credit card number, expiration date, and CVC. Listeners are attached to blur, keydown, and paste events, ensuring that user input is captured at every stage.
Importantly, the attack doesn’t rely on clipboard scraping, and users are forced to manually input card details.
After this, data is immediately exfiltrated via POST requests to two command-and-control (C2) domains: //ultracart[.]shop/g.php and //hxjet.pics/g.php.
In an added twist, the original payment form is hidden once the card information is submitted – a second page then prompts users to enter further bank transaction details, compounding the threat.
What stands out in this case is the unusually long delay in using the stolen card data, which took several months instead of the typical few days.
The report reveals that one card was used on June 18 in a pay-by-phone transaction from the US, while another was charged €47.80 to an unidentified vendor.
This breach shows a growing risk in SaaS-based e-commerce, where CMS platforms like OpenCart become soft targets for advanced malware.
There is therefore a need for stronger security measures beyond basic firewalls.
Automated platforms like c/side claim to detect threats by spotting obfuscated JavaScript, unauthorized form injections, and anomalous script behavior.
As attackers evolve, even small CMS deployments must remain vigilant, and real-time monitoring and threat intelligence should no longer be optional for e-commerce vendors seeking to secure their customers’ trust.
