SVG Images Become a Vehicle for Silent Data Theft
Security researchers have exposed a particularly cunning Magecart operation that is slipping past defenses by hiding credit card skimmers inside seemingly harmless SVG images. This campaign has already compromised close to one hundred online stores, all running on the popular Magento e-commerce platform. The discovery by threat intelligence firm Sansec reveals a significant evolution in how digital skimming gangs are adapting their tactics to avoid detection.
Exploiting Unpatched Vulnerabilities for Initial Access
The attackers are believed to have gained a foothold by exploiting a known but often unpatched Magento vulnerability, the PolyShell flaw. This security gap, which has lingered in outdated environments, provides the perfect entry point. It allows malicious actors to inject code directly into the store’s page templates, setting the stage for the skimmer’s deployment. Once inside, the real innovation begins not with a complex external script, but with a tiny, invisible graphic.
The Onload Trick That Bypasses Security Scanners
Traditional Magecart skimmers often load malicious JavaScript from external, attacker-controlled domains. Security tools are quite good at spotting these suspicious network requests. This new campaign takes a different path, embedding its entire payload directly within the HTML of the checkout page using an SVG element. The malicious code is base64-encoded and set to execute automatically via the SVG’s `onload` event handler.
Imagine a single, one-pixel-by-one-pixel image that is practically invisible to the shopper. When the checkout page loads, this tiny image triggers its hidden instructions. Because the payload is inline, residing within the page’s own code, it bypasses many security mechanisms that are specifically watching for external script files. It’s a clever bit of misdirection, turning a standard web feature into a weapon.
Intercepting the Checkout with a Fake Overlay
The skimmer’s operation is patient and precise. After loading, it doesn’t act immediately. Instead, it attaches an event listener set to `useCapture`, a technical detail that allows it to intercept user clicks before any legitimate site scripts can respond. When a customer clicks a button to proceed to checkout, the malware springs into action.
It blocks the normal page transition and instantly displays a convincing fake overlay labeled “Secure Checkout.” This overlay is designed to mimic the store’s legitimate payment form, complete with fields for card numbers, CVV codes, and expiration dates. The seamless appearance greatly increases the likelihood that a user will trust it and enter their sensitive information, all while believing they are interacting with the real store.
Obfuscation and Exfiltration: Hiding the Stolen Data
Once the victim submits their payment details into the fake form, the skimmer doesn’t send it off in plain text. First, it encrypts the data using a simple XOR cipher with the key “script,” then applies base64 encoding on top of that. This dual-layer obfuscation helps the stolen information blend in with normal web traffic, making it harder for data loss prevention systems to spot.
The encrypted payload is then transmitted via a POST request to a domain controlled by the attackers. To further disguise this exfiltration, the requests are made to endpoints like `/fb_metrics.php`, making them look like routine Facebook analytics traffic. All identified malicious domains in this campaign resolve to a single IP address, 23.137.249.67, which is hosted by IncogNet in the Netherlands.
Covering Their Tracks and Redirecting the User
The attackers have even implemented features to avoid raising suspicion. After successfully stealing a user’s data, the skimmer sets a flag (`_mgx_cv`) in the browser’s local storage. This ensures that if the same user returns to the checkout page, they won’t be targeted again, reducing the chance of unusual behavior that might prompt a complaint or investigation.
Finally, to complete the illusion, the victim is quietly redirected to the store’s actual, legitimate checkout page. From the user’s perspective, it might seem like a minor glitch or a slow page load, but their payment information has already been siphoned away. The entire process is disturbingly smooth and virtually invisible.
The Shifting Landscape of Digital Skimming Threats
This campaign is a stark reminder that Magecart groups are not static. They are continuously iterating, finding new corners of web technology to exploit. By moving from external JavaScript to inline SVG execution, they have sidestepped a primary detection method used by many security solutions. It raises an important question for defenders: are we monitoring all the right HTML features, or are we still focused on the threats of yesterday?
The continued exploitation of the PolyShell vulnerability also highlights a painful, recurring theme in cybersecurity: the patch gap. Known vulnerabilities in widely used platforms like Magento remain a goldmine for attackers as long as store owners delay or neglect updates. The front door might be heavily fortified, but a single unpatched side window can be enough to let the thieves in.
Looking ahead, the security community will need to adapt its detection strategies to account for this abuse of inline elements and event handlers. For online merchants, the imperative remains the same: vigilant patch management, layered security that doesn’t just watch network requests but also monitors for anomalous code injections, and a healthy skepticism toward any web technology, no matter how benign it seems. The next skimmer might be hiding in a web font, a CSS file, or another overlooked standard, waiting for its `onload` moment to strike.
