Magento store with 8M TL monthly revenue · Magecart skimmer · 840 cards leaked in 14 days
A Magecart skimmer was added to the checkout.js of a Magento store with 8M TL in monthly revenue 14 days earlier. 840 cards had flowed to a Latvian C2. DSET cleaned it in 4 hours; after the PCI-DSS notification + coordination with banks + a DSET pentest a PCI-DSS Level 1 certificate was obtained, with 18 months of clean operation.
01 The Challenge
A customer complained: "my card details were leaked." checkout.js git diff: 12 lines of JavaScript added 14 days earlier. The Magento admin password had been changed 14 days earlier from "admin123" to "Admin2024!" (still weak). The skimmer payload base64-encoded the form fields and POSTed them to latvia-c2[.]xyz/api. Visa Fraud Detection confirmed 47 frauds.
02 DSET's Approach
T+0 · Immediate cleanup
The skimmer was removed, all Magento admin passwords reset, MFA enforced, the Cloudflare WAF outbound "latvia-c2.xyz" blocked.
T+72h · DSET forensic investigation
Web server access log: attacker IP a Latvian VPN, a CVE-2024-34102 (Magento XXE→RCE) exploit pattern. 840 cards leaked (14 days × 60/day).
T+1 week · PCI-DSS notification
Mandatory PCI-DSS Level 1 notification. SMS + e-mail to 840 customers. Banks started card cancellation processes (Visa fraud reimbursement 85%).