Magecart Appears to have Targeted Another Online Retailer, a UK based eCommerce retailer focused on Luxury beds, furniture, and mattresses, appears to be the latest victim of the Magecart theft group.

Information about the Magecart group can be found on blog posts by Riskiq and volexity

Numerous tips and open source intelligence has revealed the Seuno site as compromised by Magecart. A script within the sites shopping cart is used to load externally hosted JavaScript from which performs the data theft.

Shown above: Injected script found at associated with Sueno’s checkout page which loads a script from

This domain is currently hosted in Russia on the IP address

Shown above: Records show the domain registered as recent as September 06th 2018

The externally located script performs Magecart’s main function and is obfuscated, with a larger portion of it being hex encoded.

Shown above: Obfuscated script “mage.js” found on domain

Decoding this script reveals the following:

Shown above: De-obfuscated script used to skim credit card information pointing to

This form looks for specific input fields and captures the data, submitting it over HTTPS via a POST request to the URL

Shown above: Credit card information being posted to


Shown above: Raw packet capture shows credit card transmitted to with referring traffic.



Indicators of Compromise:

mage.js – Obfuscated JavaScript used to skim credit card data
SHA-256: 02f6d828a4909b11f8c139055d09a48e52243c147efa542942b7cbd3b79c5fe6
VirusTotal Link – POST /mage/mail2.php – Domain hosted by credit card theft group – Domain hosted by credit card theft group