MagicCart Attack β€” Unprotected

No Block Rule

This page simulates an e-commerce checkout that has been injected with a MagicCart / Formjacking skimmer script. No Page Shield block rule is active, so the skimmer runs freely and intercepts card data on form submission.

Checkout

Loading skimmer…
πŸ“¦
Premium Widget Pro
Qty: 1
$49.99
Submit the form to see the skimmer in action.

πŸ•΅οΈ What's Happening

  1. 1 An attacker injected skimmer.js into the page (e.g., via a compromised tag manager, third-party widget, or supply-chain attack).
  2. 2 The skimmer hooks the payment form's submit event and silently copies all card fields.
  3. 3 Stolen data is exfiltrated to an attacker-controlled endpoint (simulated in console here).
  4. 4 The customer sees nothing unusual β€” the form appears to work normally.

⚠️ Risk Without Page Shield

  • β€’ Card data stolen in real-time from every customer
  • β€’ Attack is invisible to the end user
  • β€’ Server-side WAF sees nothing β€” the skimmer runs entirely client-side
  • β€’ CSP may not help if the script is injected from the same origin or an allowed origin
  • β€’ Average detection time without Page Shield: weeks to months
See this page WITH Page Shield protection β†’