Headline
Widespread Magecart Campaign Targets Users of All Major Credit Cards
Researchers at Silent Push have exposed a global Magecart campaign stealing credit card data since 2022. Learn how this invisible web-skimming attack targets major networks like Mastercard and Amex, and how to stay safe.
If you’ve recently used a credit card to shop online, you may have been the target of a massive, hidden cyberattack. Security researchers at Silent Push have identified an extensive network of malicious domains dedicated to Magecart, a term used to describe a specific type of online credit card theft and the various groups that carry it out.
In a report shared with Hackread.com, the team revealed that this specific campaign has been operating secretly since at least January 2022, and the scope of the attack is disturbingly wide, targeting customers using nearly every major payment network, including Mastercard, American Express, Discover, Diners Club, JCB, and UnionPay.
****A Trap Hidden in Plain Sight****
What makes this network so dangerous is its ability to blend in. The attackers host their scripts on domains that sound harmless. Such as a particular site cdn-cookie.com was found on servers belonging to PQ.Hosting (aka Stark Industries), a company currently facing European sanctions.
According to Silent Push researchers, the code is smart enough to hide from the people who actually run the stores. If the script detects a WordPress Admin Bar, which is the toolbar that appears when a site owner is logged in, it instantly deletes itself to avoid being caught.
“This is done to evade the prying eyes of website administrators, increasing the chance of the malware’s survival,” researchers noted in the blog post published on 13 January, 2026.
Researchers found a compromised site colunexshop(.)com with a malicious file callout on its checkout page (Source: Silent Push)
****The Double-Entry Trick****
The core of this scam is based on psychological deception. When a regular shopper goes to pay, the malware hides the real payment box and replaces it with a fake one that looks identical. It even recognises which card you are using, such as if you type a Mastercard number, a small Mastercard logo pops up to make the form look official.
Once you click ‘Place Order,’ the hackers grab your name, address, and card digits. To keep you from getting suspicious, the script quickly brings back the real payment form and shows an error message. Most people assume they just made a typo, re-enter their info into the real form, and the sale goes through. As we know it, you get your package, but the thieves already have your data.
Attack process (Source: Silent Push)
****How to Protect Yourself****
It is worth noting that because this happens inside your own web browser, it is nearly impossible for a normal user to see. However, there are small red flags, like if a site suddenly asks you to re-enter your payment info after an odd error, or if the form looks slightly different the second time, it could be a sign of a skimmer.
Silent Push suggests that store owners must stay one step ahead by strictly controlling what scripts are allowed to run on their pages. For the rest of us, keeping a close eye on bank statements remains the best defence against these invisible skimmers.