Online tuxedo retailer compromised by Magecart theft group

A script associated with the Magecart credit card theft group was found on the online tuxedo retailer  The script found within the compromised site’s shopping cart is used to load externally hosted JavaScript from which performs the credit card data theft.

Shown above: Injected script found on Tuxedosonline’s site index page and again on the shopping cart checkout page which loads a JavaScript from

The externally located script performs Magecart’s main data theft function and is obfuscated, with a larger portion of it being hex encoded.

Shown above: Obfuscated script “acp-magento.js” found on domain

Decoding this script reveals the following:

Shown above: De-obfuscated script used to skim credit card information pointing to the domain This form looks for specific input fields and captures the data, submitting it over HTTPS via a POST request to the URL


Shown above: Credit card information being posted to over HTTPS


INDICATORS OF COMPROMISE: – Domain hosted by credit card theft group – POST /checkout/onepage/ – Domain hosted by credit card theft group

acp-magento.js – Obfuscated JavaScript used to skim credit card data
SHA-256: 3f2195f8b6fb68ca95164cc0a38d0062c0a527d855eaf035127a10bb0303eccb
VirusTotal Link