French Designer Clothing Line “A.P.C” compromised by MageCart Credit Card Theft Group

This blog post was submitted by @MeltX0R, a security researcher.

ASSOCIATED DOMAINS: – Compromised Website – MageCart owned domain serving Malicious JavaScript – MageCart owned domain used for Data Exfil – MageCart owned domain used for Data Exfil – MageCart owned domain used for Data Exfil – MageCart owned domain used for Data Exfil 



Shown above: Example of network traffic generated by a  user visiting  the compromised website and having their personal information sniffed by MageCart injected JavaScript code.


On 10/15/2018, injected JavaScript code consistent with MageCart credit cart theft group was identified on the website of the French designer clothing line “A.P.C” (which stands for Atelier de Production et de Création). The company is known for its minimalist designs and has stores worldwide (including the United States, Belgium, Germany, Japan, Australia, and England).

The malicious JavaScript code can be found both on the checkout page (, as well as the home page ( Note that this only effects the US version of the website – appears be unaffected by MageCart attacks at this time.Shown above: Injected JavaScript code found on the Checkout and Homepage for, which loads additional JavaScript code from “

The above JavaScript code will then cause additional external JavaScript code to be loaded in the user’s browser from the URL “”. This code is responsible for sniffing the user input from the Checkout form, and then will POST the sniffed user data to a different external domain upon submission of the Checkout form to the legitimate website. Interestingly, the filename for the malicious JavaScript on the external domain appears to be named after the compromised website (apcstore), suggesting this compromise was more of a targeted attack, rather than a “spray and pray” style of attack.

Shown above: Obfuscated JavaScript code served from the URL “”.


Shown above: Checkout form information being transmitted to the URL “”. Note that due to the externally hosted JavaScript code being pulled every time the user visits the page, it appears that the actor’s interchange several versions at random, each of which contains a different exfiltration domain.

Attempts to notify A.P.C of the compromise were made via phone and email, however we have yet to hear back. As of 10/16/2018, the code is still active on the website.

As of 10/18/2018, the malicious script is no longer being loaded.


APCStore.js – Obfuscated JavaScript code used to skim Checkout form data (credit card, address, and other PII)
MD5: acb68f94feb101c7462e14b5455aa838
VirusTotal Link