Uncovering the Secret: How Hackers Conceal Credit Card Theft with Pixel-Large SVG Tricks

Hackers Conceal Credit Card Stealer in Pixel-Sized SVG Image

A significant cyber campaign affecting nearly 100 online stores utilizing the Magento e-commerce platform has been uncovered. The campaign involves concealing code designed to steal credit card information within a small Scalable Vector Graphics (SVG) image.

Upon clicking the checkout button, victims are presented with a convincing overlay that can verify card details and billing information.

The campaign was detected by Sansec, an eCommerce security company. Researchers at Sansec believe that the attacker likely exploited the PolyShell vulnerability, which was disclosed in mid-March, to gain access.

PolyShell affects all Magento Open Source and Adobe Commerce stable version 2 installations, enabling unauthenticated code execution and account takeover.

Sansec has cautioned that more than half of the vulnerable stores were targeted in PolyShell attacks. In some instances, attackers deployed payment card skimmers using WebRTC for discreet data exfiltration.

In the latest campaign, researchers found that the malware is injected as a 1×1-pixel SVG element with an ‘onload’ handler into the target website’s HTML.

Sansec explains, “The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout. This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.”

When unsuspecting buyers click checkout on compromised stores, a malicious script intercepts the click and displays a fake “Secure Checkout” overlay that includes card details fields and a billing form.

Payment data submitted on this page is validated in real time using the Luhn verification and exfiltrated to the attacker in an XOR-encrypted, base64-obfuscated JSON format.

See also  Exclusive Preview: Exciting Upgrades Coming to ChatGPT

Sansec has identified six exfiltration domains, all hosted at IncogNet LLC (AS40663) in the Netherlands, each receiving data from 10 to 15 confirmed victims.

To defend against this campaign, Sansec recommends the following measures:

• Identify hidden SVG tags with an onload attribute using atob() and remove them from your site files
• Check for the existence of the _mgx_cv key in browser localStorage, as it indicates potential theft of payment data
• Monitor and block requests to /fb_metrics.php or any unfamiliar analytics-like domains
• Block all traffic to the IP address 23.137.249.67 and associated domains

As of now, Adobe has yet to release a security update addressing the PolyShell flaw in production versions of Magento. The fix is currently available in the pre-release version 2.4.9-alpha3+.

Furthermore, Adobe has not responded to inquiries regarding this matter.

Website owners and administrators are advised to implement all available mitigations and, if feasible, upgrade Magento to the latest beta release.