It has been discovered that a malicious program has been launched, posing a serious threat to thousands of online retailers worldwide, as it exploits vulnerabilities in widely used content management systems. According to security researchers, the attack primarily targets platforms that utilise open-source e-commerce CMS frameworks, such as Magento and WooCommerce, by injecting malicious code into the platform and stealing customer data, compromising checkout pages, and gaining administrative control over backend systems.
In addition to being part of a wider cybercriminal operation, the malware is capable of silently harvesting sensitive information, such as payment details and login credentials, without the user being notified. As a result of this campaign, several online storefronts have already suffered significant losses. Cybersecurity companies, as well as digital commerce platforms, have issued urgent advisories.
Using outdated plugins, unpatched CMS instances, and misconfigured servers, the attackers have been able to distribute the malware on an unprecedented scale. Due to the fact that e-commerce remains a lucrative target for financially motivated threat actors, this incident highlights the importance of merchants regularly updating their systems, monitoring for abnormal activity, and implementing security best practices in order to ensure that they remain secure.
The malware campaign signals an urgent need for immediate defence action, with consumer trust and financial transactions at risk. The following sections explain how the attack mechanics work, which platforms are affected, and what mitigations should be taken to prevent this from happening in the future.
In the ever-evolving cybercrime landscape, e-commerce platforms have become prime targets, with recent studies indicating that 32.4% of successful cyberattacks are directed at online retailers and transaction-based companies. It is no secret that the e-commerce ecosystem is under a growing number of threats, and so is the interest of malicious actors who are continually developing sophisticated methods of exploiting vulnerabilities to gain an edge over their competitors.
Store administrators, internal employees, as well as unsuspecting customers are all susceptible to the growing range of threats facing the industry. Various attack vectors are being deployed by cybercriminals these days, including phishing attacks, credit card fraud, fake checkout pages, malicious bots, and Distributed Denial of Service (DDoS) attacks, all to disrupt operations, steal sensitive information, and compromise customer trust.
Businesses that fail to secure their systems adequately not only suffer immediate financial losses but also long-term reputation damage and legal consequences. These threats not only result in immediate financial loss but also cause long-term reputational damage and legal consequences for businesses. It is of utmost importance that businesses take proactive and robust security measures, given that these incidents have never been more prevalent and severe.
With comprehensive malware removal and prevention solutions from leading cybersecurity companies like Astra Security, businesses are able to detect, neutralise, and recover from breaches of this nature. Attackers are one of the most common ways that they infiltrate ecommerce websites by taking advantage of vulnerabilities within the platform, its infrastructure, or insecure third-party integrations.
A number of breaches can be attributed to inadequate configuration management, outdated software, and weak security controls among external vendors, which are often a result of an unfortunate combination. In spite of the popularity of high-profile platforms like Magento among online retailers, cybercriminals are also looking to target these platforms—particularly in cases where security patches are delayed or misconfigured—because they present a logical target for them.
In the past few years, cybercriminals have increasingly exploited known vulnerabilities (CVEs) in e-commerce platforms, with Adobe Magento seeing disproportionate attacks compared to other platforms. It is worth mentioning that CVE-2024-20720 has a critical command injection flaw that was discovered in early 2024, with its CVSS score of 9.1.
In the exploitation of this vulnerability, attackers were able to execute system commands remotely without the need for user interaction. Cybercriminal groups, such as the notorious Magecart, have exploited the vulnerability for the purposes of implanting persistent backdoors and exfiltrating sensitive customer information.
There was also the CosmicSting campaign, which exploited a chain of vulnerabilities, CVE-2024-34215 and CVE-2024-2961, which were responsible for affecting more than 75% of Adobe Commerce and Magento installations worldwide. A malicious script injected into a CMS block or CMS block modification enabled remote code execution, the access to critical configuration files (including encryption keys), the escalation of privileges, and long-term control by enabling remote code execution.
E-commerce platforms must take proactive measures to manage vulnerabilities and monitor real-time threats as a result of CosmicSting's widespread nature and sophistication. There is a disturbing new wave of cyberattacks that specifically target e-commerce websites built on the OpenCart content management system (CMS) and are modelled after Magecart in a Magecart-style attack.
Despite the stealthy and sophisticated execution methods used in this latest incident, cybersecurity experts have been particularly attentive to it. In this attack, malicious JavaScript was injected directly into landing pages by the attackers, which were cleverly disguised by the tags of legitimate third-party marketing and analytics providers such as Google Tag Manager and Meta Pixel.
When attackers embed malicious code within commonly used tracking snippets, they dramatically reduce their chances of traditional security tools being able to detect them early. Analysts at c/side, a cybersecurity company that specialises in client-side threat monitoring, stated that the script used in this experiment was crafted to mimic the behaviour of a typical tag, but on closer examination, it exhibited suspicious patterns.
A very deceptive aspect of this campaign is the use of Base64 encoding for obfuscating the payload URLs, which are then routed through suspicious domains like /tagscart.shop/cdn/analytics.min.js, which conceal the script’s true intent from detection during transmission, allowing it to operate undetected in legitimate traffic flows throughout the entire process.
After the script has been decoded, it generates new HTML elements that are then inserted into the document ahead of the existing scripts in a way that effectively launches secondary malicious payloads in the background. In order to prevent reverse engineering from occurring and to bypass basic security filters, the final stage involves heavily obfuscated JavaScript.
It utilises techniques such as hexadecimal encoding, array manipulation, and dynamic execution via eval() that are all designed to obfuscate JavaScript. To safeguard e-commerce infrastructures, real-time script monitoring and validation mechanisms are essential to safeguarding them against the sophistication of client-side attacks, which are becoming increasingly sophisticated.
Nowadays, with the globalisation of the internet, securing an e-commerce website has become a fundamental requirement for anyone who engages in online commerce. Whether it be through a personal website or a full-scale business, security is now an essential part of any online commerce process.
The costs of not acting can become devastating as malware campaigns become more complex, targeting platforms like Magento, WooCommerce, OpenCart, and others. Leaving a vulnerability unchecked or using an outdated plugin can result in credit card theft, customer data breaches, ransomware, or even a complete loss of control of the site. For businesses, these actions can result in financial losses, reputational damage, legal liabilities, and the loss of customer trust, while for individual entrepreneurs, it can lead to the death of a growing business.
Through practical, proactive strategies, these threats can be mitigated by performing regular updates and patches, developing strong access controls, integrating secure third parties with the applications, installing web application firewalls (WAFs), scanning continuously for malware, and using real-time monitoring tools. As the threat landscape evolves with each passing year, cybersecurity is not a one-time task, but rather a continuous process.
The e-commerce industry continues to grow around the world, which means that the question is no longer whether the sit, or a competitor's will be targeted, but when. Investing in robust security measures today means more than just protecting the business; it means you'll be able to survive. Stay informed, stay current, and stay safe.
