← All posts

Magecart skimmers — how to detect them on your checkout

A Magecart skimmer is a small piece of malicious JavaScript injected onto your checkout page. It listens for credit-card form fields, captures every keystroke, and quietly POSTs the data to an attacker-controlled server. The customer sees nothing. The order completes normally. By the time the fraud reports come in, weeks have passed.

The breach surfaces look small — one extra <script> tag, one new domain in your CSP whitelist — but they are responsible for hundreds of millions of stolen cards every year.

How the attack happens

Skimmers reach your site through three main paths:

  1. A compromised third-party script. A JavaScript library you embed (analytics, chat widget, A/B test tool) is hijacked at its CDN. Anyone embedding it inherits the skimmer.
  2. Direct injection into your CMS. An attacker with admin or FTP access edits a theme file or installs a malicious plugin.
  3. Hostile takeover of your CDN account. Less common but devastating — the attacker uploads a modified copy of your own JavaScript bundle.

What detection looks like

You are looking for scripts that should not be there. The reliable signals:

  • A new external domain loading on the checkout page that was not loaded yesterday.
  • A <script> tag in the page body that lacks an integrity attribute (Subresource Integrity).
  • Any fetch() or XMLHttpRequest to a domain that does not match your payment processor (Stripe, Braintree, PayPal).
  • Form-field event listeners (addEventListener('input', …)) on <input name="cc-number"> or similar.

A 3-step manual check

  1. Open the checkout page in an incognito window. Open DevTools → Network. Filter by js. Note every script domain.
  2. Repeat tomorrow. If a new domain has appeared, investigate. Legitimate updates rarely add new third parties without a release announcement.
  3. Audit your <script> tags for SRI. Every third-party script should have integrity="sha384-...". Without SRI, a hijacked CDN means a hijacked checkout.

Automated detection

The manual check above scales to one site. If you run multiple stores, automated monitoring is the only practical approach:

  • Snapshot the checkout page DOM daily.
  • Compare hashes of every external script.
  • Alert on any new domain, any modified script body, any new event listener.

This is exactly what NoDowntimeShield's Magecart module does. We render your checkout in a headless browser, fingerprint every script, and alert you within minutes when something changes — long before the first stolen card surfaces.

What to do if you find one

  1. Take the checkout offline. Replace with a "we'll be back in 30 minutes" page.
  2. Find the entry point. Which file was modified? Which CDN was tampered with? Check git history, FTP logs, plugin install dates.
  3. Rotate every credential that could have been exposed: admin passwords, FTP, CDN API keys, payment processor webhooks.
  4. Notify your acquirer. Most card networks require 72-hour disclosure under PCI-DSS.
  5. Restore from a known-clean backup. Do not "remove the skimmer and hope" — the attacker has likely planted persistence elsewhere.

Magecart is preventable. The cost of a single stolen-card incident dwarfs the cost of monitoring. Start there.