Hackers Use Pixel-Large SVG Trick to Steal Credit Cards
Significant risk — action recommended within 24-48 hours
Basically, hackers hide bad code in tiny images to steal credit card information from online shoppers.
Hackers are targeting online stores using Magento with a clever SVG trick to steal credit card data. Nearly 100 stores are affected, making it crucial for site owners to act quickly to protect customer information.
What Happened
A significant cybersecurity threat has emerged, impacting nearly 100 online stores that utilize the Magento e-commerce platform. Hackers are employing a clever trick by hiding credit card-stealing code within a 1x1 pixel SVG image. This method allows them to bypass many security measures and effectively steal sensitive payment data from unsuspecting customers.
Who's Affected
The attack primarily targets online retailers using Magento, particularly those vulnerable to the PolyShell vulnerability. This flaw allows unauthorized code execution, making it easier for attackers to inject malicious scripts into the websites.
How the Attack Works
When victims click the checkout button on compromised sites, they are presented with a convincing fake overlay labeled “Secure Checkout.” This overlay collects credit card information and billing data. The malicious code, embedded in the SVG image, is executed through an onload handler. This technique prevents detection by security scanners, as the malware is encoded directly within the site's HTML.
Data Exfiltration
The stolen payment data is validated in real-time using the Luhn algorithm and is then sent to the attackers in a base64-obfuscated JSON format. The researchers from Sansec identified multiple exfiltration domains linked to this campaign, indicating a well-organized effort to siphon off sensitive information from multiple victims.
What You Should Do
To protect against this type of attack, website owners should take the following steps:
- Inspect your site for hidden SVG tags with an
onloadattribute that usesatob()and remove them if found. - Check localStorage for the
_mgx_cvkey, which may indicate stolen payment data. - Monitor and block requests to suspicious domains like
/fb_metrics.php. - Block traffic to the IP address 23.137.249.67 and any associated domains.
As of now, Adobe has not released a patch for the PolyShell vulnerability in production versions of Magento, leaving many stores at risk. It is crucial for site administrators to apply all available mitigations and consider upgrading to the latest beta release to safeguard against these attacks.
🔍 How to Check If You're Affected
- 1.Search for SVG tags with an onload attribute in your website's code.
- 2.Check localStorage for the presence of the _mgx_cv key.
- 3.Monitor outgoing requests for suspicious domains related to payment processing.
- 4.Block known malicious IP addresses associated with the attack.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: This attack highlights the critical need for robust input validation and monitoring of third-party scripts in e-commerce environments.