Cybersecurity researchers have flagged a credit card stealing malware campaign that has been observed targeting e-commerce sites running Magento by disguising the malicious content within image tags in HTML code in order to stay under the radar.
MageCart is the name given to a malware that’s capable of stealing sensitive payment information from online shopping sites. The attacks are known to employ a wide range of techniques – both on client- and server-side – to compromise websites and deploy credit card skimmers to facilitate theft.
Typically, such malware is only triggered or loaded when users visit the checkout pages to enter credit card details by either serving a fake form or capturing the information entered by the victims in real time.
The term MageCart is a reference to the original target of these cybercrime groups, the Magento platform that offers checkout and shopping cart features for online retailers. Over the years, such campaigns adapted their tactics by concealing malicious code through encoding and obfuscation within seemingly harmless sources, such as fake images, audio files, favicons, and even 404 error pages.
“In this case, the malware affecting the client follows the same goal — staying hidden,” Sucuri researcher Kayleigh Martin said. “It does this by disguising malicious content inside an <img> tag, making it easy to overlook.”
“It’s common for <img> tags to contain long strings, especially when referencing image file paths or Base64-encoded images, along with additional attributes like height and width.”
The only difference is that the <img> tag, in this case, acts as a decoy, containing Base64-encoded content that points to JavaScript code that’s activated when an onerror event is detected. This makes the attack a lot more sneaky, as the browser inherently trusts the onerror function.
“If an image fails to load, the onerror function will trigger the browser to show a broken image icon instead,” Martin said. “However, in this context, the onerror event is hijacked to execute JavaScript instead of just handling the error.”
Furthermore, the attack offers an added advantage to threat actors in that the <img> HTML element is generally considered innocuous. The malware, for its part, checks whether the user is on the checkout page and waits for unsuspecting users to click on the submit button to siphon sensitive payment information entered by them to an external server.
The script is designed to dynamically insert a malicious form with three fields, Card Number, Expiration Date, and CVV, with the goal of exfiltrating it to wellfacing[.]com.
“The attacker accomplishes two impressive goals with this malicious script: avoiding easy detection by security scanners by encoding the malicious script within an <img> tag, and ensuring end users don’t notice unusual changes when the malicious form is inserted, staying undetected as long as possible,” Martin said.
“The goal of attackers who are targeting platforms like Magento, WooCommerce, PrestaShop and others is to remain undetected as long as possible, and the malware they inject into sites is often more complex than the more commonly found pieces of malware impacting other sites.”
The development comes as the website security company detailed an incident involving a WordPress site that leveraged the mu-plugins (or must-use plugins) directory to implant backdoors and execute malicious PHP code in a stealthy manner.
“Unlike regular plugins, must-use plugins are automatically loaded on every page load, without needing activation or appearing in the standard plugin list,” Puja Srivastava said.
“Attackers exploit this directory to maintain persistence and evade detection, as files placed here execute automatically and are not easily disabled from the WordPress admin panel.”
