Client-side Magecart attacks still around, but more covert

Keypoints

• Magecart client-side attacks persist, and visibility can drop if operations shift server-side, making cleanup and detection more challenging.
• New anti-VM skimmer domains (js.staticounter.net and scanalytic.org) are linked by ASN AS29182, and both shed VM-detection code in newer samples.
• Important input field names have shifted from explicit labels (e.g., CcNumber) to generic web terms, reducing obvious data capture signals.
• urlscan.io-based investigation reveals extensive infrastructure (hostnames and IPs) tied to the campaign, and sandbox detection may explain incomplete sandbox data.
• Attack activity can be validated by replaying with real IPs to demonstrate malicious behavior beyond crawler results.
• There is a historical link to prior skimmer activity dating back to May 2020, suggesting a continued, interconnected campaign.
• Overall skimming appears to be less active recently, with WordPress/WooCommerce seeing more attacks than Magento; client-side visibility limits understanding of server-side activity.