Skip to main content
Blog
Blog Attacks

How to Detect Magecart in Real Time, Not After the Breach

Periodic scanners miss conditional skimmers. Runtime browser monitoring catches Magecart the moment a script hooks a form or opens an exfil endpoint.

Jul 11, 2026 6 min read
How to Detect Magecart in Real Time, Not After the Breach

To detect Magecart in real time, watch scripts as they execute in real shopper sessions and alert the moment one hooks a form field, attaches to the submit button, or opens an outbound destination that was not in the page's baseline. A periodic outside-in scan only tells you what the page returned to a scanner, at a scan location, during a scan window. Modern skimmers are built to avoid exactly that.

The timing gap is the whole problem. A scanner runs every few hours or once a day from a fixed crawler. A skimmer runs in the one session it cares about: a real card holder, in a targeted region, on a targeted device, at checkout. cside closes that gap by observing the same sessions the attacker targets and capturing what each script does at runtime, so a malicious change surfaces while exposure is live, not after a card network forensics report lands.

Why scanners miss conditional skimmers

Magecart payloads increasingly carry guard logic. They decide whether to activate before they steal anything, which means a clean fetch proves nothing.

Common evasion conditions that defeat outside-in scanning:

  1. Geo-targeting: the payload activates only for IPs in specific countries and serves benign code elsewhere. A scanner crawling from a datacenter region outside the target never trips it.
  2. Device and UA gating: the skimmer runs only on real mobile or desktop browser profiles and suppresses itself for headless or crawler signatures.
  3. Time-windowing: activation is limited to certain hours, so a scan that runs at the wrong time sees nothing.
  4. Session-state gating: the code waits for a populated cart or a checkout route before it arms, which a synthetic scan that loads one URL never reaches.
  5. Anti-automation checks: the payload inspects for navigator.webdriver, missing input timing, or absent pointer events and stays dormant when it detects an automated session.

Each condition is a filter that excludes scanners by design. The attacker does not need to defeat your monitoring tool's signature; they only need to recognize that the visitor is not a paying customer in the target segment. That is far easier, and a static snapshot of the file cannot capture a decision the code makes at execution time.

What runtime monitoring sees that a scan never will

Outside-in scanning compares file contents or hashes. Runtime monitoring observes behavior in a live browser, which is a different and larger surface.

SignalPeriodic outside-in scanRuntime browser monitoring
Conditional payload that hides from crawlersSees benign versionSees the version served to the real targeted session
DOM / form-field reads on card and login inputsNot observedObserved as the script accesses the field
Event hooks on submit, keydown, or changeNot observedCaptured when the listener attaches
New outbound exfil endpoint at pay-clickMissed unless captured mid-requestFlagged against the page's destination baseline
Compromise of an already-allowed vendor originHash/origin still look authorizedBehavior change flags it regardless of origin
Obfuscated payload assembled at runtimeStatic file looks inertVisible once it executes and acts

The behaviors that matter in a digital skimmer are not in the file at rest. They happen when the script runs: it reaches into the DOM, reads value off the card-number input, registers a handler on the form's submit event, then assembles a payload and ships it with fetch, XMLHttpRequest, or navigator.sendBeacon to a look-alike domain at the instant the user clicks pay. Watching execution is the only vantage point that sees that sequence.

The hardest case for hash-based tooling is the supply-chain compromise. A trusted vendor script gets a new, legitimate-looking version from an authorized CDN origin. The hash is new but valid; the origin is on your allowlist. Nothing about the file or its source looks wrong. What looks wrong is the behavior: a script that previously rendered a widget now reads a payment field and posts to a destination it never contacted before. Runtime monitoring baselines what each script does, so a behavioral change trips even when the origin and signature stay inside policy.

An operating plan for real-time detection

The objective is to shorten the interval between malicious change and containment, and to keep evidence that survives a forensic review.

  1. Monitor production from real shopper sessions, across product, cart, and checkout, not only the payment step, and not from a synthetic crawler.
  2. Baseline every script's behavior: which DOM nodes it reads, which form fields it touches, which destinations it contacts. Deviation from that baseline is your primary signal.
  3. Alert on new exfil destinations the moment a script contacts a domain absent from the page's established destination set.
  4. Alert on new form hooks: a listener attaching to a payment or credential field, or to the submit button, on a script that never did so before.
  5. Capture the readable payload and per-session timestamps so you can reconstruct what ran, in which sessions, and what data was in scope.
  6. Route high-severity behavioral alerts straight to incident response with the script identity, the affected pages, and the destination already attached.

Steps 2 through 4 are what convert raw runtime visibility into something an analyst can act on in minutes instead of reverse-engineering obfuscated JavaScript after the fact.

How cside fits

cside instruments real shopper sessions and watches third-party and first-party scripts as they execute. It captures the runtime behavior a scanner cannot reach: form-field access, event-listener hooks on payment and login inputs, and outbound requests to destinations outside the page's baseline. Because detection runs in the same sessions the attacker targets, a conditional skimmer that hides from crawlers still surfaces the moment it acts on a real visitor.

When a script's behavior deviates, cside flags what changed, where it ran, which fields it touched, and where data went, with per-session timestamps and the readable payload preserved for investigation. That gives the owner of the outcome the context to contain exposure while it is still live, and an evidence trail for the questions that follow. The same browser-layer telemetry feeds device and real-IP capture, AI-agent and automation detection, and proxy/VPN behavioral signals through the cside platform.

Further reading on cside

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

A scanner fetches the page from a fixed location on a fixed schedule. A conditional skimmer reads region, device, referrer, or time of day and serves clean code to anything that does not match its target profile. The scanner's IP, headers, and lack of a real checkout session rarely match, so it receives the benign version. The skimmer only activates for real shoppers in the targeted segment, which the scanner never becomes.

A previously quiet script starts reading payment or login form fields; an addEventListener hook attaches to the submit button or to keydown on a card field; a new outbound destination appears that was never in the page's baseline; or a script calls navigator.sendBeacon or a hidden image request right as the user clicks pay. Each of these is observable only while the code executes in a real browser, not in a static copy of the file.

No. CSP and runtime monitoring solve different halves of the problem. CSP can block an exfiltration request to an unlisted connect-src destination, but it does not tell you which script tried, what it read first, or whether a trusted vendor origin was compromised. Runtime monitoring supplies that behavioral context and catches skimmers that exfiltrate through an already-allowed origin. Run both.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo