A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises.

Silent Push has identified a surge in infrastructure deployment that mirrors the TTPs (Tactics, Techniques, and Procedures) of SLSH—a predatory alliance between Scattered Spider, LAPSUS$, and ShinyHunters. This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (“vishing”) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups.

The Threat: SLSH “Supergroup”

SLSH (Scattered LAPSUS$ Hunters) is an aggressive cybercrime group that emerged from “The Com” ecosystem. By merging Scattered Spider’s social engineering expertise with LAPSUS$’ extortion models, they have created a sophisticated initial access strategy that targets enterprise organizations through their identity providers. 

The primary infrastructure being used is a new “Live Phishing Panel.” This allows a human attacker to sit in the middle of a login session, intercepting credentials and MFA tokens in real-time to gain immediate, persistent access to corporate dashboards.

Critical Target List (Last 30 Days)

If your organization is listed below, Silent Push has detected active targeting or infrastructure preparation directed at your domain within the last month.

Industry Sector	Companies
Technology & Software	Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, RingCentral, ZoomInfo, Iron Mountain.
Fintech & Payments	Adyen, Jack Henry, Shift4 Payments, SoFi.
Biotech & Pharma	Alnylam, Amgen, Arvinas, Biogen, Gilead Sciences, Moderna, Neurocrine Biosciences.
Financial Services / Banking	Apollo Global Mgmt, Blackstone, Cohen & Steers, Frost Bank, goeasy Ltd., Guild Mortgage, Morningstar, RBC, Securian Financial, State Street, TPG Capital.
Real Estate (REITs & Investment)	Avison Young, Brixmor Property, CBRE, Centerspace, Colliers, eXp Realty, Goodman Group, Howard Hughes Corp., Kennedy Wilson, Macerich, Public Storage, Realty Income, Redfin, RE/MAX, Simon Property Group, WeWork.
Real Estate Tech / Software	Entrata, RealPage, Zillow.
Infrastructure, Energy & Utilities	Acco Engineered Systems, AECOM, Alliant Energy, American Water, Beach Energy, Cenovus Energy, CMS Energy, DistributionNOW, Halliburton, Invenergy, MasTec, NOV Inc., Oceaneering, Sempra Energy, Sunrun, Talen Energy.
Healthcare & MedTech	Bayshore Healthcare, Globus Medical, GoodRx, ResMed, Surgery Partners, UCHealth.
HR Tech & Outsourcing	Awardco, Cornerstone OnDemand, Gusto, TriNet.
Logistics & Transportation	Brambles (CHEP), Crowley, Covenant Logistics, Lineage Logistics.
Manufacturing & Industrial	Ball Corp, BlueLinx, Canfor, Littelfuse, Methode Electronics, Reliance Steel.
Retail & Consumer Goods	Amway, Carvana, Do it Best, GameStop, Murphy USA, Sargento Foods, Sonos, Spin Master, Lamb Weston.
Insurance	HBF Health, Mercury Insurance, Risk Strategies.
Legal Services	Jones Day, Paul Hastings LLP, Perkins Coie.
Media, Education & Hospitality	Cengage, Choice Hotels, Hearst.
Telecommunications	Telstra.

Why Immediate Action Is Required

Standard security awareness training often fails to stop this specific threat. SLSH operators are highly persuasive, frequently calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts.

The Risk

• Total SSO takeover: Once an Okta or another SSO provider’s session is hijacked, the attacker has a “skeleton key” to every app in your environment.
• Data extortion: Following the LAPSUS$ playbook, these actors prioritize rapid data exfiltration for public extortion.
• Lateral movement: The attackers use the initial SSO breach to move into internal communications (such as with Slack or Teams) to social-engineer higher-privilege admins.
• Data encryption: A final step in an SLSH attack after data exfiltration is often to encrypt enterprise data and then blackmail organizations into paying ransom to acquire decryption keys.

Defensive Requirements

Organizations should not wait for a breach notification and immediately:

1. Warn customer support and employees about ongoing SLSH attacks: The best way to prevent unexpected vishing campaigns from succeeding is to alert your employees about ongoing attacks targeting your company. If someone receives any suspicious messages, calls, or emails during this time, they should be immediately escalated to managers and security teams for review.
2. Audit Okta system and other SSO provider logs: Hunt for “New Device Enrolled” events immediately followed by a login from an unfamiliar IP address.
3. Deploy pre-attack intelligence: Silent Push identifies these attack surfaces at the DNS level before vishing calls begin. Use of Silent Push Indicators of Future Attack™ (IOFA™) feeds can block malicious look-alike domains before they go live.

---

FAQs 

What is the SLSH threat group? SLSH is a cybercriminal alliance of Scattered Spider, LAPSUS$, and ShinyHunters, specializing in vishing, SSO credential theft, and ransomware campaigns.

How does a live phishing panel work? It allows an attacker to intercept MFA tokens and login credentials in real-time, enabling them to bypass security prompts while the victim is on the phone.

How can I protect my Okta or other SSO provider account from vishing? The most effective defense is to use phishing-resistant MFA (FIDO2) and to verify all IT support calls through an official out-of-band channel.

North Korean operatives and professional money launderers have been drawing six-figure salaries from Fortune Global 500 companies by exploiting a fundamental flaw in identity verification.

The Silent Push preemptive cyber defense team has found domestic U.S. IP addresses being used by North Koreans, likely as part of their efforts to appear as suitable candidates for jobs with major U.S. corporations. 

Traditional KYC (Know Your Company) and AML (Anti Money Laundering) protocols rely on static document validation. These processes fail when an adversary presents a legitimate, stolen identity that is backed by a clean residential IP address.

When organizations cannot distinguish between a local user and a Keyboard-Video-Mouse (KVM)-over-IP relay, their payroll systems become vulnerable to funding sanctioned entities.

---

Traditional tools only see the local address used to hide a connection. Traffic Origin unmasks the hidden upstream infrastructure used to spoof locations, identifying if a connection actually starts in a high-risk or sanctioned country instead of just the domestic IP where it ends.

---

The Obfuscation Gap: Why Traditional Tools Fail

Traditional security tools too often rely on historical databases to flag known malicious actors. This reactive approach fails against modern adversaries who constantly rotate infrastructure.

According to recent Department of Justice (DOJ) enforcement actions, thousands of highly skilled cyber operatives have deployed into the global digital workforce using fraudulent identities. Standard security stacks are particularly vulnerable to the tactics they use, including:

• Residential Proxy-as-a-Service (RPaaS): Fraudsters and sanctioned actors use residential proxies to appear as legitimate domestic customers. This allows them to bypass geo-fencing and pass initial KYC checks undetected.

• Laptop Farms and KVM Switches: Adversaries host physical hardware in a domestic residence and access it remotely via KVM-over-IP hardware.

The FBI issued specific guidance on how these schemes use domestic hardware to thwart standard detection. Because the software runs on a legitimate local machine, security tools see a domestic ISP and a local MAC address.

Beyond the “Last Mile” Geolocation

Traditional identity systems are easily deceived because they only see the exit node or the “last hop.” If the IP address says “London,” an alert is dismissed. This can create a catastrophic blind spot, allowing illicit funds to be washed through banks that cannot see a transaction’s true geographic origin.

The result is a massive money laundering engine. Illicit revenue is systematically moved through shell companies and Electronic Money Institutions (EMIs) to evade international sanctions or cash out from high-risk crypto mixers.

The UK’s Office of Financial Sanctions Implementation (OFSI) has highlighted several indicators of this activity, including upstream connection mismatches where domestic IPs show active links to high-risk jurisdictions.

The KYC & AML Checklist: Spotting the Digital Invisible Insider

While identity thieves and state actors work hard to blend in, their technical infrastructure leaves distinct fingerprints. Monitoring for the following “High Risk” indicators creates opportunities for defenders to disrupt these threat actors:

Red Flag	Technical Indicator	Risk Profile
Geographic mismatch	Domestic IP with an active upstream connection to a sanctioned or high-risk zone.	High (sanctions evasion)
Infrastructure Density	Numerous unrelated devices (High Host Diversity) appear to originate from a single residential IP.	Medium/high (proxy usage)
Interview & meeting friction	Persistent refusal to appear on camera, unusual audio lags, or background environments inconsistent with claimed locations.	High (identity spoofing)
Employment anomaly	A “highly skilled” employee who fails to complete basic tasks, refuses 1:1 video syncs, or delegates work to “partners.”	High (work outsourcing, potentially DPRK)
Financial redirection	Urgent requests to pivot salary payments to an EMI or third-party account shortly after onboarding.	High (money laundering)

Traffic Origin: True-Origin Determination

To solve this dilemma, organizations must move beyond document checks to verify the technical origin of a connection. Silent Push Traffic Origin addresses this visibility gap by providing the highest-confidence attribution indicator available today.

We extend this visibility through true-origin determination. This capability provides targeted, high-confidence attribution, revealing the true geographic origin for identified high-risk infrastructure even when masked by VPNs or residential proxies. While traditional tools only see the final residential hop, Traffic Origin identifies a true upstream source.

Through deep, multidimensional analysis, the Traffic Origin platform evaluates host diversity, subnet reputation, and behavioral density to provide technical clarity.

Verification in the Age of Invisible Insiders

Trust is a liability in an era where an adversary can rent a domestic identity and a clean residential IP for a few dollars. Accurate compliance requires more than just checking a passport. It requires verifying the physical and technical reality of the connection.

Traffic Origin can protect your organization by providing the visibility required to ensure your KYC, AML, and fraud workflows are grounded in technical truth rather than digital deception.

Without the ability to unmask upstream inception points, your security posture remains reactive and incomplete. You lose the critical window to block professional fraudsters and “Invisible Insiders” before they bypass your existing gatekeepers.

Evaluate your network visibility today with Traffic Origin and IP Context to move toward a preemptive posture grounded in technical truth.

Connect with our team to see how Silent Push preemptive cyber defense can protect your organization.

Key Findings

• Silent Push Preemptive Cyber Defense Analysts recently uncovered an extensive network of domains associated with a long-term, ongoing web-skimmer campaign, known under the umbrella name: “Magecart.”
• Several global payment networks are currently being targeted, including American Express, Diners Club, Discover, and Mastercard.
• The most likely victims of this web-skimming campaign are online shoppers, the e-commerce stores that are compromised, and the payment providers.
• This campaign has been active since at least January 2022.

Executive Summary

While investigating intelligence shared with us, a set of indicators that were also found on our Bulletproof Host Indicators Of Future Attack™ (IOFA™) feeds, our team discovered a vast network of domains related to a long-term and ongoing credit card skimming campaign. Current findings suggest this campaign has been active for several years, dating back to the beginning of 2022.

This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.

This blog provides an overview of online credit card skimming (a practice referred to as “Magecart”) and how our technology uncovered the campaign’s infrastructure. Due to operational security (OpSec) concerns, we cannot disclose all of the methods developed by our analysts to track this specific campaign. Please contact our Sales team for access if you would like details.

Background

What Is a Web Skimmer?

Web skimming attacks, also known as credit card skimmer attacks, are cyberattacks where malicious code, often JavaScript, is injected into legitimate e-commerce websites or payment portals to stealthily intercept and steal customers’ credit card information and other sensitive personal data during the checkout process.

These attacks typically operate client-side, meaning the code runs in the victim’s browser and is thus nearly invisible to both users and site owners. The goal for the threat actor is to harvest card payment details for fraudulent transactions, identity theft, or resale on dark web marketplaces, ultimately leading to acts of identity fraud and/or bank fraud. This often depends on whether the threat actor is involved in the actual looting themselves or if they’re more interested in simply reselling the data.

As previously noted, the common term used to refer to this type of online credit card theft is “Magecart.” Initially, however, the term Magecart referred to a coalition of cybercriminal groups targeting web shops that used the e-commerce software Magento. Over time, as these attacks proliferated and diversified against other e-commerce products, the name “Magecart” shifted from denoting specific actors targeting the Magento e-commerce software to that of a general label for nearly all web-based credit card skimming, web skimming, and formjacking attacks, regardless of which threat group or technology is, or was, involved.

These days, “Magecart” is an accepted term used to describe the entire class of client-side attacks that covertly exfiltrate sensitive user data from web forms during online transactions, encompassing activity from both the original groups from which the moniker originated and all subsequent copycat groups.

---

Process of a Web-Skimmer Attack: Step by Step

---

Magecart Unmasked Webinar: February 3, 2026

Join us for a special Silent Push threat intelligence webinar, where we will discuss identifying hidden Magecart activity, defeating client-side threats that steal data from online transactions, and the steps to take in protecting your organization from sophisticated web-skimming networks.

We’ll be hosting three sessions: AMER (1pm ET), EMEA (12pm CET), and APJ (10am SGT) to support our global community.

---

What Did Our Threat Team Observe?

One of the indicators we started from was cdn-cookie[.]com, which pointed to an IP address on ASN 209847, which was only recently acquired by the European-sanctioned entity, PQ.Hosting/Stark Industries, also known as THE.Hosting/WorkTitans B.V.

During initial analysis, our team determined that this domain was hosting a few URLs that loaded highly obfuscated scripts, such as:

cdn-cookie[.]com/recorder.js

Further analysis of the scripts and related domains revealed a broader picture: a long-term web-skimming campaign with several ongoing infections dating back to approximately 2022.

We identified additional technical fingerprints that extend beyond the current campaign’s infrastructure. However, due to OpSec concerns and our desire not to highlight mistakes the threat actor is making in its deployments, those details are only available to our enterprise clients and law enforcement. Please contact our Sales team for access if you would like more information or book a demonstration with our experts.

---

Uncovering Malicious Infrastructure

Before examining the web skimming code and its operation, let’s first highlight how we utilize the Silent Push platform to identify additional indicators and compromised websites related to this campaign.

Besides a simple search for the indicator itself, one of the first queries performed is often done to see whether a given indicator has been loaded in the context of any other website in our database. To achieve this, we utilize our proprietary Web Resources data set, which contains data on all resources loaded by any websites that Silent Push has scanned.

The query below showcases this for the initial seed domain: cdn-cookie[.]com.

Web Search resource_hostname + hostname query link

datasource = ["webresources"] AND resource_hostname = "cdn-cookie.com" AND hostname != "cdn-cookie.com" AND hostname != "www.cdn-cookie.com"

In the results below, notice that the “hostname” field includes numerous seemingly unrelated domains. You can see that our Web Scanner caught this domain loaded as a resource on several different websites. In this instance, that means those returned domains are actually the compromised domains embedding this specific injector domain:

Also of note, the following files were loaded from this domain:

• /1-197056a9.js
• /763825
• /cplnfwtlrkb.js
• /tab-gtm.js

Opening any of these files will present the viewer with obfuscated code, as with the previous “recorder.js” file.

Our team examined which pages were loading these external files. It did not take long to see that three out of four pages we logged as loading code from cdn-cookie[.]com are clearly identifiable webshops. At the same time, one of the three webshops currently presents visitors with a rather interesting message that informs its customers about recent payment system issues, which was further confirmation that we were on the right track.

Webshops are especially prone to credit card skimming attacks, as seen here, where the four websites from our query are all from different vendors, on various infrastructure and in other countries, each loading strange, obfuscated code from a domain hosted on a known bulletproof host.

---

Analyzing an Ongoing Infection

Next up in our investigation was an examination of the actively compromised website (at time of writing): hxxps[:]//colunexshop[.]com/. Pulling it up in our Web Resources data and using the hostname field as well as resource_hostname to check for any references to it, the results made it apparent that this site contacts the previously discovered malicious domain via the following file:
“1-97056a9[.]js”

hxxps[:]//cdn-cookie[.]com/1-197056a9.js

Web Resources Search query link

datasource = [“webresources”] AND resource_hostname = “*cdn-cookie[.]com*” AND hostname != “cdn-cookie[.]com”

Opening the link in a web browser in a safe environment returned the following script:

This page displays obfuscated JavaScript code, and the script’s analysis is provided below. Before we dive in, however, we want to first find out how the infected website loads the code in question. This can be done by analyzing the website via a Web Developer Console.

As referenced earlier, web skimmers aim to manipulate the payment process of a legitimate e-commerce website to steal credit card details. Due to this, many of them only initiate their injection process when the checkout page is accessed, and the payment process begins.

To identify where a web skimmer’s starting point may be, one can go through the normal steps of buying an item until reaching the “checkout” page, where a visitor is typically asked to enter their personal details and preferred payment method. The exact layout of this process varies by webshop; however, once we open the checkout page for colunexshop[.]com, we can see the expected web request to the file mentioned above, “1-97056a9[.]js”:

If we click on the “initiator” link, we can see the file that triggered the web request in our console. It even focuses on the piece of code that triggered the request in the larger file.

In the case of colunexshop[.]com, the initiation of the request is done by a small piece of code in the file:

hxxps[:]//colunexshop[.]com/finalizar-compra/?doing_wp_cron=1757931326.231261049383544921875

This code tries to imitate a Facebook-related code-loading script. However, it does a bad job of faking this, as no known Facebook script uses a list of character concatenations from a long string. An obfuscated code segment then creates a self-executing function that gets called with three arguments. These arguments are:

Working our way through, this “e” argument is used regularly throughout the script. It serves as an alphabet used by the code to derive strings. For example, e[2] = a, e[8] = d, e[10] = E and so on. We can thus use it to deobfuscate the strings and derive the following code (comments added for clarity, with the last string shortened for brevity):

This code does not load the actual Facebook fbevents[.]js file; instead, it reaches out to a base64-obfuscated URL and injects the returned code. It can be seen in the script located at:

hxxps[:]//cdn-cookie[.]com/1-197056a9.js

Given that this code is highly obfuscated and loaded via a purposely obfuscated JavaScript, the red flags here are enough to know we are headed in the right direction.

This code is also loaded via the “wp_enqueue_scripts” functionality, as shown below, which is an action hook mechanism in WordPress that allows WordPress to load scripts and CSS at the proper time during the website’s rendering in the browser.

add_action('wp_enqueue_scripts', function () { echo '<code here>'; });

The action hook is ordinarily intended to run at the optimal time during page load to ensure that all relevant scripts and styles are included in the correct order, with proper dependency management, thereby preventing conflicts between themes and plugins.

However, this is not typically done by directly echoing JavaScript code, as is done here. The attacker’s improper use of the code actually results in a visible bug on the infected website, revealing that segment at the bottom of the page, as shown in the red box below:

Despite this bug, the code as a whole indicates that this attacker has advanced knowledge of WordPress’s inner workings and integrates even lesser-known features into their attack chain.

Skimmer Analysis

In addition to being highly obfuscated, the code employs several techniques, including string concatenation, array-based string storage, self-executing anonymous functions, and other encodings.

Deobfuscation of the code reveals that, as expected, we encounter approximately 600 lines of JavaScript code implementing the credit card skimmer. The code is then split into several functions, each with functionality related to a larger attack.

The following is a step-by-step walkthrough from initial execution to the end goal of victim credential theft:

The inject begins its execution by setting up a MutationObserver (a JavaScript API that provides the ability to detect modifications made to the Document Object Model (DOM) tree), which will execute the function “a()” every time the webpage’s DOM is changed.

The DOM is a tree-like representation of all HTML elements on a webpage that browsers create when loading a page. It’s essentially a live, interactive map where each HTML tag becomes a “node” that can be accessed, modified, or monitored by JavaScript. When users interact with the page (by clicking, typing, or loading content), the DOM changes in real-time.

This MutationObserver ensures that any change made to the website will cause the web skimmer to reattempt execution.

After starting the Observer, the “a()” function is executed a single time in what could be described as an independent initial execution attempt.

The code continues by executing a check for the Element “wpadminbar” in the current DOM, looking for the WordPress Admin Bar, which is a horizontal toolbar that appears at the top of WordPress websites when logged-in administrators or users with appropriate permissions are viewing the site. It provides quick access to standard WordPress functions, such as editing posts, managing users, accessing the dashboard, and viewing site statistics, without requiring navigation to the admin area.

If the wpadminbar element is defined in the DOM, the code will completely remove itself from the current DOM. It does so by removing any injected code and terminating the MutationObserver. This is done to evade the prying eyes of website administrators, increasing the chance of the malware’s survival.

The image below shows the “a()” function, which is called both on every DOM change and once initially.

This function is designed to check if the website is prepared to execute the skimmer. It first checks to see if the page has loaded fully by looking for the WooCommerce “BlockUI” element. The BlockUI element is a native WooCommerce overlay (typically a semi-transparent div with a “Please wait…” message) that WooCommerce displays when it is processing checkout data, loading payment methods, or updating cart contents. It is intended to block user interaction until the complete page has been loaded successfully.

The presence of elements with the class blockUI in the DOM indicates that WooCommerce is still performing background operations. The skimmer code then waits 1000 ms (or one second) before re-execution.

Once the blockUI check is passed successfully, the code checks to see if the “Stripe” payment method was selected on the website. Notably, this indicates that the skimmer was specifically designed for the type of webshop it was injected into, as not all WooCommerce websites utilize Stripe.

If Stripe is selected, the skimmer checks to see if the fake payment form it will create is already loaded, which would indicate that a previous execution of the skimmer has already changed the page. It also checks to see if there is a “wc_cart_hash” element in the website’s localStorage.

The malware uses the localStorage variable “wc_cart_hash” to indicate whether it has already successfully skimmed a victim. It is set to be “true” for successful credit card exfiltration and serves as a re-execution prevention measure.

If the Stripe form hasn’t been injected yet, the visitor hasn’t chosen Stripe as their payment method, or an error occurs, then the malware re-runs “a()” every 500 ms.

The real web skimmer execution starts with the function “i()”. Since this function exceeds 500 lines of code, we will break it down into several steps.

The “i” function first executes yet another check for the existence of the “wc-stripe-form.” If it does not exist but the “wc-stripe-upe-form” does, this means that the legitimate Stripe “Universal Payment Elements” form has loaded.

If this is the case, the skimmer gets to work. It makes sure that the legitimate Stripe Payment Form is hidden by setting its style.display variable to “none.” The skimmer then creates a malicious iframe in which it renders a fake Stripe Payment Form with legitimate-looking variable names, titles, styling, and so on. The iframe is then added to the legitimate container for the Stripe Payment method.

The code then continues by adding features that make the injected iframe responsive to changes in the website’s size, further enhancing its “legitimate” look and feel.

Next, it opens the iframe and writes a complete fake Stripe Payment Form into it. This particular payment form is in Portuguese, the same language as the compromised website. The HTML form contains three input fields with the IDs “cardnumber-Input,” “expiry-Input,” and “cvc-Input.”

At this point, the skimmer has effectively replaced the real payment form with its own malicious payment form, which, as previous code sections have already indicated, has the ID “wc-stripe-form.” Thereafter, all re-executions of the earlier “a()” function will fail because the fake form already exists.

With the fake form successfully injected, the skimmer then defines the logic to make the payment form appear functional. This includes adding script-based checks for “card brand” detection on input credit card numbers.

Providers that the script explicitly recognizes include:

• Mastercard
• American Express
• JCB Co., Ltd.
• Diners Club
• Discover
• UnionPay

Note: The companies listed here are the payment transaction providers themselves. This means that the skimmer most likely covers most issued credit cards globally, even if the card itself is branded by one’s local bank or payment card provider (Source: The Motley Fool)

The skimmer then uses this information to automatically adapt the input field with an image of the correct card brand, making the input form appear even more legitimate. The image below shows the changes for a Mastercard and a JCB card.

Additional features added for the sake of legitimacy include:

• Automatic formatting of the validity date entered
• Automatic formatting of the entered credit card number according to the card’s brand
  • American Express: 4-6-4 and a 4-digit CVC
  • Diners Club: 4-6-4
  • Most other cards: 4-4-4-4
• Automatic error highlighting in red if a field loses focus, but the entered details are invalid.
  • Verify the credit card number’s validity by ensuring it is associated with a recognized brand, not an unknown one, and has a length of at least 13 characters.
  • Check that the entered date is valid by ensuring its year is not in the past, at least five characters long, has a “/” separator, and contains a month between 1 and 12.
  • CVC is at least one character long

These checks are relatively simple compared to more advanced ones, like the Luhn algorithm.

The styling and validation features are added to the three input fields via EventListeners.

After this step, the web skimmer monitors all input forms of the checkout page. It uses two state variables, “w” and “h”, to store even partial input data, as long as there are at least two characters.

Stolen data is not limited to just credit card details. Every input element on the website is collected, including the name, address, and shipping address fields.

Data is then stored as key-value pairs, where the input field’s ID serves as the key and the entered value becomes the corresponding value.

A correctly formatted value for “w”, after a victim has filled out the form, would then look like the following:

w = {
"billing_first_name": "John",
"billing_last_name": "Doe",
"billing_email": "[email protected]",
"billing_phone": "555-1234",
"billing_address_1": "123 Main St",
// ... etc
}

Duplicate content would be in the “h” value.

The “w” value is never used after it is created and filled with the various values. The reason for that is unknown; however, it could be that “w” is simply a code artifact leftover from a previous version.

On the other hand, the “h” value is crucial for the exfiltration process. It is dynamically filled during the victim’s entire form-filling process. While the victim is filling out the payment data forms, the skimmer has additionally hijacked another feature of the payment site: the “Place Order” button.

The relevant code for this starts as:

The code is designed to add an EventListener to a button that reacts to a click event. This event is the equivalent of the victim having finished filling out the entire web form, including the Stripe payment information, and wanting to submit the order. When clicked, the code executes and stores each checkout form’s value in a new set of variables, one field at a time.

It does this by first checking if the value for the field was previously captured by the dynamic data storage functionality that stores data into the “w” and “h” variables. In this case, the data stored in the “h” variable is used for the queried key.

Suppose the dynamic data parser fails to store the specific key-value pair queried. If that happens, the code will then fall back to using the value currently stored in the field, accessing it directly via the “getElementById()” function.

A more thorough check is done for the payment data values entered into the fake Stripe Payment Form, shown here:

This code explicitly checks to ensure there has been no prior skimming execution against the current victim by checking the local storage variable wc_cart_hash.

It then prevents the hijacked form’s default functionality and ensures that none of the three credit card data input fields are empty.

If any of the fields are empty, the empty fields are changed to throw the same red error styling that the previous checks applied in case any of the entered card data did not pass the value checks. This prompts a victim to correct the missing data issues before proceeding further.

If these checks are passed, the skimming code then prepares the collected data for exfiltration by creating a data object that contains all previously collected data.

An example of this can be seen here:

Some of the collected data is reformatted before exfiltration. For example, the first name and last name of the billing form are joined around a “ ” to create the space in a victim’s “Full Name.”

Once the data structure has been created, the skimmer moves to the actual exfiltration.

It begins by ensuring that the previously created data object is JSON-formatted, XOR-encrypted, and Base64-encoded using the hardcoded key “777.”

The skimmer then sends an HTTP POST request to the Exfiltration Server via the following URL:

hxxps[:]//lasorie[.]com/api/add

This URL is a base64-encoded data string prepended by “data=” as the body.

Once this request has been sent, the skimmer then cleans itself from the current checkout page, removing the fake payment form it had created previously.

After that has been removed, it restores the legitimate Stripe input form, changing its display style back to “block.” Finally, it sets the localStorage variable “wc_cart_hash” to “true,” preventing the skimmer from being executed again for the current victim. It concludes by simulating a “click” on the actual checkout button to initiate the actual payment process.

Important note: As the victim entered their credit card details into a fake form instead of the real Stripe payment form, which was initially hidden by the skimmer when they initially filled it out, the payment page will display an error. This makes it appear as if the victim had simply entered their payment details incorrectly.

Most of the time, online shoppers are unaware that they have just been victimized. Instead, they will assume they made a mistake, then re-enter their credentials, and proceed as usual. The second payment attempt will then be processed successfully as they interact with the original benign payment form.

The only chance a non-technical victim would have to detect this attack would be noticing this error when trying to pay, and seeing that their information has disappeared after filling out the form.

The effectiveness of this is further reinforced by work shared by security researcher Mikhail Kasimov, who attributed several of these older domains to Magecart activity more than three years ago, demonstrating the threat actor’s staying power.

Indicators Of Future Attack™ (IOFA)™

The following are a small sample of the indicators gathered by our team for the Magecart network.

• cdn-cookie[.]com
• lasorie[.]com

Mitigation

Taking Defensive Measures Against Web Skimmer Campaigns

There are several defensive measures that both vendors and consumers can take to help protect themselves from web skimmer campaigns.

Defensive Measures for Vendors

• Implement a Content Security Policy (CSP) to restrict the loading of external resources, particularly JavaScript, thereby reducing the risk of malicious code injection.
• Comply with Payment Card Industry Data Security Standard (PCI DSS) Requirements. Following the PCI DSS standard helps ensure secure storage, processing, and transmission of cardholder and authentication data.
• Keep Systems Up to Date. Regularly maintain software components, including content management system (CMS) platforms, plugins, and security patches, to minimize vulnerabilities that threat actors might exploit.
• Enforce Strong Access Controls. Use complex, unique credentials for administrative accounts and enable multi-factor authentication to prevent unauthorized access.
• Testing From the User Perspective. Website administrators should periodically review their sites using either their browser’s incognito/private mode or after clearing the browser cache and history. This practice is essential because many web injection-based threats employ detection mechanisms that identify administrative users through cookies and deliberately avoid executing malicious code in their presence. By viewing the site without administrative credentials or cached data, administrators can detect threats that would otherwise remain hidden.

Defensive Measures for Consumers

• Shop on Trusted Platforms: Select established and reputable e-commerce websites with a proven track record of security.
• Carefully Evaluate Offers: Be cautious of deals that appear excessively discounted or unrealistic, as these may indicate fraudulent sites or malicious vendors. When offers sound too good to be true, they probably are.
• Monitor Financial Activity: Review bank and credit card statements regularly to promptly detect any unauthorized transactions.
• Beware of Checkout Anomalies: If a payment page unexpectedly displays errors after entering your card details, consider abandoning the transaction and report the issue as suspicious.
• Leverage Security Tools: Use browser or endpoint security solutions that block known malicious domains and scripts to enhance your online safety.

---

Ready to dive deeper into the world of preemptive cyber defense? Take our technology for a test drive with the free Silent Push Community Edition today.

---

Continuing to Track Magecart Campaigns

Our team will continue to track Magecart campaigns while expanding our understanding of the obfuscations and skimmer variants being delivered throughout 2026.

We believe Magecart remains an active threat to both online stores and their customers worldwide, and expect this multi-year campaign to continue indefinitely.

If you or your organization has any information to share regarding the findings in this report, we would love to hear from you.