Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Skimmers Found on Salesforce’s Heroku Platform

Magecart started as the name given to a single criminal gang operating a software skimming attack targeting payment card data on web sites. The process proved so successful that other gangs began to use the same approach. 

Magecart started as the name given to a single criminal gang operating a software skimming attack targeting payment card data on web sites. The process proved so successful that other gangs began to use the same approach. 

Magecart is now the generic term for the attack rather than the name of a gang. It is believed that there are a dozen or more gangs operating the Magecart style of attack — some of them being long-standing and known gangs.

A primary advantage of Magecart attacks over enterprise breach and card database theft is that it captures the relevant data unencrypted, and includes the CVV number. The stolen data is immediately usable for online bank fraud.

At the same time as Magecart has expanded, the practice for criminals to use legitimate online services to host their infrastructure has also grown. It is a form of hiding in plain sight that is easy to set up and move around, and inexpensive if not free. Criminal use of cloud services is mirroring the legitimate use of cloud, and is likely to continue, if not grow.

Researchers at Malwarebytes have already discovered examples of Magecart actors abusing GitHub to serve a web skimmer (April 2019), and a campaign injecting skimming code into AWS S3 buckets (June 2019). Now they have found what they describe as ‘a rash of skimmers’ on Heroku.

Heroku is a container based managed Platform-as-a-Service (PaaS) owned by Salesforce. It allows developers to deploy, manage and scale their apps without needing to maintain their own infrastructure, and offers a free to use starter service. “Threat actors, say the researchers, “are leveraging the service to host their skimmer infrastructure but also to collect stolen credit card data.” They are registering free accounts to host their skimming business.

The skimming software has three components: the core skimmer that is injected into merchant sites, detects the checkout URL and loads the next component; a malicious iFrame that overlays the payment form and harvests the bank card details; and an exfiltration mechanism that encodes the stolen data and sends back to Heroku.

The core skimmer monitors the current page and loads the iFrame when the URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout). The iFrame overlays the standard payment form. It appears identical because it uses the same CSS style sheet.

The captured data is then exfiltrated, and victims receive an error message: ‘Unexpected error. Please reload the page and try again.’ This allows the victims to continue with their genuine purchase without any indication of a problem or theft of their card details.

The Malwarebytes researchers found several skimmers on Heroku. All used the same naming convention for their script, and all became active within the past week — indicating either the same gang or a similar source for the code. They seemed to be targeting Cyber Monday and the end of year buying season.

Malwarebytes reported its findings to the Salesforce Abuse Operations team, and the skimmer accounts have already been taken down. The nature of using legitimate services and the advantage to the criminals is that the operation can easily be moved to an alternative service. It becomes another game of whack-a-mole between the researcher and the criminals.

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops 

Related: MasterMana Campaign Combines Stealth, Free Services and Old Malware 

Related: Attackers Hide in Plain Sight as Threat Hunting Lags: Report 

Related: Magecart Group Tied to Cobalt Hackers 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.