Credit Card Stealing Malware Targets Magento Sites with Image Tag Obfuscation

Cybersecurity researchers have uncovered a sophisticated credit card skimming campaign that targets e-commerce websites running Magento. This attack method disguises malicious content within <img> tags in HTML code, allowing threat actors to stay undetected while stealing sensitive payment information.

Understanding MageCart Attacks

MageCart is a term used to describe a family of malware designed to steal credit card details from online shopping sites. Cybercriminals use various techniques—both client-side and server-side—to compromise e-commerce websites and deploy credit card skimmers, capturing payment information entered by unsuspecting customers.

Typically, MageCart malware remains dormant until users reach the checkout page. At that point, the malicious script activates, either by injecting a fake payment form or intercepting the details entered into a legitimate checkout page in real time.

The name "MageCart" is derived from its original target, the Magento platform, which powers thousands of online retailers worldwide. Over time, these attacks have evolved to employ more advanced evasion techniques, such as encoding malicious scripts within fake images, audio files, favicons, or even error pages.

How the Malware Stays Hidden

According to security researchers from Sucuri, the latest attack method conceals malicious JavaScript inside an <img> tag. This approach is particularly deceptive because <img> tags commonly contain long strings of data, such as image file paths or Base64-encoded images.

"In this case, the malware affecting the client follows the same goal—staying hidden," said Sucuri researcher Kayleigh Martin. "It does this by disguising malicious content inside an <img> tag, making it easy to overlook."

The <img> tag used in this attack contains Base64-encoded data, which, when decoded, reveals JavaScript code that executes automatically when an "onerror" event is triggered. Normally, the onerror function is used to handle image loading failures, displaying a broken image icon if the image file is missing. However, in this instance, attackers exploit the onerror event to execute malicious JavaScript.

"If an image fails to load, the onerror function will trigger the browser to show a broken image icon instead," Martin explained. "However, in this context, the onerror event is hijacked to execute JavaScript instead of just handling the error."

The Malware’s Attack Process

Once activated, the malware performs the following actions:

1. Checks for a Checkout Page: The script monitors whether the user is on a payment processing page.

2. Intercepts Payment Information: When the victim enters their credit card details and clicks the submit button, the script captures the data.

3. Exfiltrates Data to an External Server: The stolen information—including the card number, expiration date, and CVV—is sent to a malicious domain, wellfacing[.]com.

The malware effectively replaces the legitimate payment form with a fake one, tricking users into entering their details while keeping the attack hidden from both customers and website administrators.

Why This Attack is Effective

This method is particularly dangerous because <img> tags are generally considered safe by most security tools. The attackers achieve two major goals with this technique:

• Evading Detection: Encoding the malicious script within an <img> tag allows it to bypass traditional security scans.

• Remaining Undetected by Users: The fraudulent payment form blends seamlessly with the existing checkout page, making it difficult for victims to notice anything unusual.

"The goal of attackers who are targeting platforms like Magento, WooCommerce, PrestaShop, and others is to remain undetected as long as possible," Martin emphasized. "The malware they inject into sites is often more complex than the more commonly found pieces of malware impacting other sites."

Additional Threats to E-Commerce Security

This discovery follows another recent attack detailed by Sucuri, where cybercriminals compromised a WordPress site using must-use plugins (mu-plugins) to install backdoors. Unlike regular plugins, which can be disabled, mu-plugins execute automatically and do not appear in the WordPress admin panel, making them an effective method for maintaining persistent access.

"Unlike regular plugins, must-use plugins are automatically loaded on every page load, without needing activation or appearing in the standard plugin list," noted security researcher Puja Srivastava.

Attackers exploit this directory to maintain long-term access and evade detection, ensuring they can continue their malicious activities unnoticed.

How to Protect Your E-Commerce Site

To defend against these types of attacks, website owners should take the following steps:

• Monitor for Unauthorized Script Changes: Regularly check for unexpected modifications in website code, particularly in checkout pages.

• Use Content Security Policies (CSP): Restrict the execution of JavaScript from unauthorized domains to prevent malware injection.

• Keep Software Updated: Ensure Magento, WordPress, and other e-commerce platforms are running the latest security patches.

• Perform Regular Security Audits: Use automated scanning tools and conduct manual reviews to identify vulnerabilities.

• Implement Multi-Factor Authentication (MFA): Strengthen access control measures to prevent unauthorized modifications by attackers.

By staying proactive and securing critical payment infrastructure, e-commerce businesses can minimize the risk of MageCart-style attacks and protect customer data from being stolen.