Cybersecurity experts have identified a credit card stealing malware campaign targeting e-commerce sites running Magento, which disguises malicious content within image tags in HTML code to evade detection.
MageCart, a type of malware, is capable of stealing sensitive payment information from online shopping sites. These attacks employ various techniques, both on the client and server-side, to compromise websites and deploy credit card skimmers for theft.
Typically, this malware is triggered when users visit checkout pages to enter credit card details, either by serving a fake form or capturing the information entered by the victims in real-time.
The term MageCart refers to the original target of these cybercrime groups, the Magento platform, which offers checkout and shopping cart features for online retailers. Over time, these campaigns have adapted their tactics by concealing malicious code through encoding and obfuscation within seemingly harmless sources, such as fake images, audio files, favicons, and even 404 error pages.
According to Sucuri researcher Kayleigh Martin, “In this case, the malware affecting the client follows the same goal — staying hidden. It does this by disguising malicious content inside an tag, making it easy to overlook.”
“It’s common for tags to contain long strings, especially when referencing image file paths or Base64-encoded images, along with additional attributes like height and width.”
The only difference is that the tag, in this case, acts as a decoy, containing Base64-encoded content that points to JavaScript code that’s activated when an onerror event is detected, making the attack more sneaky as the browser inherently trusts the onerror function.
“If an image fails to load, the onerror function will trigger the browser to show a broken image icon instead,” Martin said. “However, in this context, the onerror event is hijacked to execute JavaScript instead of just handling the error.”
Furthermore, the attack offers an added advantage to threat actors in that the HTML element is generally considered innocuous. The malware checks whether the user is on the checkout page and waits for unsuspecting users to click on the submit button to siphon sensitive payment information entered by them to an external server.
The script is designed to dynamically insert a malicious form with three fields, Card Number, Expiration Date, and CVV, with the goal of exfiltrating it to wellfacing[.]com.
According to Martin, “The attacker accomplishes two impressive goals with this malicious script: avoiding easy detection by security scanners by encoding the malicious script within an tag, and ensuring end users don’t notice unusual changes when the malicious form is inserted, staying undetected as long as possible.”
“The goal of attackers who are targeting platforms like Magento, WooCommerce, PrestaShop, and others is to remain undetected as long as possible, and the malware they inject into sites is often more complex than the more commonly found pieces of malware impacting other sites.”
This development comes as the website security company detailed an incident involving a WordPress site that leveraged the mu-plugins (or must-use plugins) directory to implant backdoors and execute malicious PHP code in a stealthy manner.
According to Puja Srivastava, “Unlike regular plugins, must-use plugins are automatically loaded on every page load, without needing activation or appearing in the standard plugin list.”
“Attackers exploit this directory to maintain persistence and evade detection, as files placed here execute automatically and are not easily disabled from the WordPress admin panel.”
