Its overall attack process has gotten very sophisticated, using a series of steps to hide its presence and deploy a variety of techniques to exfiltrate data.
One clever way for attackers to host their malware (and, sadly, not limited to just Magecart attacks) is to upload their code to an unused GitHub project. The criminals try to take ownership of the project and then publish a “new” version of the code that contains the malware. This has a direct benefit of quickly getting malware in active use across thousands of websites. Security tools might not scan code from GitHub, so criminals can hide in plain sight and get away with the compromised project.
In at least the British Airways hack, Magecart tailored the attack to the specific system, according to various reports. This included how the airline’s payment pages were constructed, meaning that they were targeted specifically.
