• Blog
  • Magecart & Web-skimming
  • Magecart Hacked Thousands of Websites Simultaneously via Picreel third-party JavaScript.

Magecart Hacked Thousands of Websites Simultaneously via Picreel third-party JavaScript.

Reflectiz Team

Reflectiz Team

  • May 19, 2019
  • 2 min read
  • May 19, 2019
  • 2 min read
Magecart Hacked Thousands of Websites via third-party JavaScript.
Share article
twitter linkedin medium facebook
In May of 2019, the Magecart group attacked again.  Like previous events, the group used third-party tools to attack thousands of websites simultaneously.  One of the compromised tools was Picreel, a premier Conversion Rate Optimization tool. 

This incident highlights a risk many websites face today: third and fourth-party hacks lead to huge data compromises that trigger very quickly across thousands of websites simultaneously – and put their customers at risk of identity, credit card, and credentials theft.

The malicious code was delivered to thousands of websites worldwide, including Picreel. The delivery vector was a third-party code referenced at runtime. As a result, customer data such as credit card and billing information may have been collected by the attackers, leaving many of the exploited companies liable for the theft.  Although the attackers’ code was not executed because of an inadvertent syntax error, unauthorized code was delivered to Picreel.

 

One Attack, Thousands of Victims

The culprits are groups known as “Magecart” (a play of words on “Magento”), professional cybercriminals focusing on skimming payment information. The Magecart attacks are distinct because they exploit third-party scripts used by thousands of websites. Most websites today rely on dozens of these scripts, so this approach enables a single hack to affect nearly every website that uses the component.

This latest attack involved Picreel – the gold-standard of Conversion Rate Optimization (CRO) services.  Picreel is trusted by Forbes, Saxo Bank, Virgin Mobile, and other top brands.  Companies that rely on potential customer conversion probably use Picreel or another similar service.

Payment services are not the only functions at risk – any interaction of by customers on a website might be recorded using a Magecart-style attack.  Most websites rely on a complicated web of third, fourth, and fifth-party software to provide functionality – anywhere from essential Search Engine Optimization to convenient editing and engagement tools. And because the most critical services, like Adobe’s Magento, are trusted and few in number, an attack against an infrastructure like this can violate the trust of hundreds of thousands of websites simultaneously.

Book a meeting to get a FREE Magecart threat check for your website  

 

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Related Articles

New Malware Campaign Impacts Over 40 Banks
  • January 23, 2024
  • 5 min read

New Malware Campaign Impacts Over 40 Banks

Client-side Security: Valuable Best Practices to Secure Your Websites
  • January 8, 2024
  • 11 min read

Client-side Security: Valuable Best Practices to Secure Your Websites

The Most Dangerous Cyber Attacks Of 2023: The Full Countdown
  • December 6, 2023
  • 8 min read

The Most Dangerous Cyber Attacks Of 2023: The Full Countdown

The Cost of Magecart: What You Need To Know
  • November 21, 2023
  • 8 min read

The Cost of Magecart: What You Need To Know

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free
linkedin twitter

All rights reserved 2024 © Reflectiz

Book a Demo

Book a Demo