Online shopping feels familiar and fast, but a hidden threat continues to operate behind the scenes. 

Researchers are tracking a long-running web skimming campaign that targets businesses connected to major payment networks. Web skimming is a technique where criminals secretly add malicious code to checkout pages so they can steal payment details as shoppers type them in. 

These attacks work quietly inside the browser and often leave no obvious signs. Most victims only discover the problem after unauthorized charges appear on their statements.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

WHATSAPP WEB MALWARE SPREADS BANKING TROJAN AUTOMATICALLY

What Magecart is and why it matters

Magecart is the name researchers use for groups that specialize in web-skimming attacks. These attacks focus on online stores where shoppers enter payment details during checkout. Instead of hacking banks or card networks directly, attackers slip malicious code into a store’s checkout page. That code is written in JavaScript, which is a common type of website code used to make pages interactive. Legitimate sites use it for things like forms, buttons and payment processing.

In Magecart attacks, criminals abuse that same code to secretly copy card numbers, expiration dates, security codes and billing details as shoppers type them in. The checkout still works, and the purchase goes through, so there is no obvious warning sign. Magecart originally described attacks against Magento-based online stores. Today, the term applies to web-skimming campaigns across many e-commerce platforms and payment systems.

Which payment providers are being targeted?

Researchers say this campaign targets merchants tied to several major payment networks, including:

• American Express
• Diners Club
• Discover, a subsidiary of Capital One
• JCB Co., Ltd.
• Mastercard
• UnionPay

Large enterprises that rely on these payment providers face a higher risk due to complex websites and third-party integrations.

700CREDIT DATA BREACH EXPOSES SSNS OF 5.8M CONSUMERS

How attackers slip skimmers into checkout pages

Attackers usually enter through weak points that are easy to overlook. Common entry paths include vulnerable third-party scripts, outdated plugins and unpatched content management systems. Once inside, they inject JavaScript directly into the checkout flow. The skimmer monitors form fields tied to card data and personal details, then quietly sends that information to attacker-controlled servers.

Why web skimming attacks are hard to detect

To avoid detection, the malicious JavaScript is heavily obfuscated. Some versions can remove themselves when they detect an admin session, which makes inspections appear clean. Researchers also found the campaign uses bulletproof hosting. These hosting providers ignore abuse reports and takedown requests, giving attackers a stable environment to operate. Because web skimmers run inside the browser, they can bypass many server-side fraud controls used by merchants and payment providers.

Who Magecart web skimming attacks affect most

Magecart campaigns impact three groups at the same time:

• Shoppers who unknowingly give up card data
• Merchants whose checkout pages are compromised
• Payment providers that detect fraud after the damage is done

This shared exposure makes detection slower and response more difficult.

NEW MALWARE CAN READ YOUR CHATS AND STEAL YOUR MONEY

How to stay safe as a shopper

While shoppers cannot fix compromised checkout pages, a few smart habits can reduce exposure, limit how stolen data is used, and help catch fraud faster.

1) Use virtual or single-use cards

Virtual and single-use cards are digital card numbers that link to your real credit or debit account without exposing the actual number. They work like a normal card at checkout, but add an extra layer of protection. Most people already have access to them through services they use every day, including:

Major banks and credit card issuers that offer virtual card numbers inside their apps

Mobile wallet apps like Apple Pay and Google Pay generate temporary card numbers for online purchases, keeping your real card number hidden.

Some payment apps and browser tools that create one-time or merchant-locked card numbers

A single-use card typically works for one purchase or expires shortly after use. A virtual card can stay active for one store and be paused or deleted later. If a web skimming attack captures one of these numbers, attackers usually cannot reuse it elsewhere or run up repeat charges, which limits financial damage and makes fraud easier to stop.

2) Turn on transaction alerts

Transaction alerts notify you the moment your card is used, even for small purchases. If web skimming leads to fraud, these alerts can expose unauthorized charges quickly and give you a chance to freeze the card before losses grow. For example, a $2 test charge on your card can signal fraud before larger purchases appear.

3) Lock down financial accounts

Use strong, unique passwords for banking and card portals to reduce the risk of account takeover. A password manager helps generate and store them securely.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

4) Install strong antivirus software

Strong antivirus software can block connections to malicious domains used to collect skimmed data and warn you about unsafe websites.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

5) Use a data removal service

Data removal services can reduce how much personal information is exposed online, making it harder for criminals to pair stolen card data with full identity details.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

6) Watch for unexpected card activity

Review statements regularly, even for small charges, since attackers often test stolen cards with low-value transactions.

Kurt’s key takeaways

Magecart web skimming shows how attackers can exploit trusted checkout pages without disrupting the shopping experience. While consumers cannot fix compromised sites, simple safeguards can reduce risk and help catch fraud early. Online payments rely on trust, but this campaign shows why that trust should always be paired with caution.

Does knowing how web skimming works make you rethink how safe online checkout really is?  Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All rights reserved.

Around 800 artists, writers, actors, and musicians signed on to a new campaign against what they call “theft at a grand scale” by AI companies. The signatories of the campaign — called “Stealing Isn’t Innovation” — include authors George Saunders and Jodi Picoult, actors Cate Blanchett and Scarlett Johansson, and musicians like the band R.E.M., Billy Corgan, and The Roots.

“Driven by fierce competition for leadership in the new GenAI technology, profit-hungry technology companies, including those among the richest in the world as well as private equity-backed ventures, have copied a massive amount of creative content online without authorization or payment to those who created it,” a press release reads. “This illegal intellectual property grab fosters an information ecosystem dominated by misinformation, deepfakes, and a vapid artificial avalanche of low-quality materials [‘AI slop’], risking AI model collapse and directly threatening America’s AI superiority and international competitiveness.”

The advocacy effort is from the Human Artistry Campaign, a group of organizations including the Recording Industry Association of America (RIAA), professional sports players unions, and performers unions like SAG-AFTRA. The Stealing Isn’t Innovation campaign messages will appear in full-page ads in news outlets and on social media. Specifically, the campaign calls for licensing agreements and “a healthy enforcement environment,” along with the right for artists to opt out of their work being used to train generative AI.

On the federal level, President Donald Trump and his tech industry allies have been attempting to control how states regulate AI and punish those that try. At the industry level, tech companies and rights owners who were once on opposing sides are increasingly cutting licensing deals that allow AI companies to use protected work — licensing content appears to be a solution both parties can live with, at least for now. Major record labels, for example, have now partnered with AI music startups to provide their catalogues for AI remixing and model training. Digital publishers, some of which have sued AI companies training on their work, have backed a licensing standard that outlets can use to block their content from surfacing in AI search results. Some outlets have signed individual deals with tech companies that allow AI chatbots to surface news content (Disclosure: Vox Media, The Verge’s parent company, has a licensing deal with OpenAI.)