- Experts find credit card skimmer hidden in 1×1 SVG image
- Fake “Secure Checkout” overlay stole card data
- Likely exploited Magento PolyShell flaw, affecting many stores
Security researchers recently found a credit card skimmer on almost a hundred compromised ecommerce websites hiding in a tiny image.
Experts from Sansec reported finding 1×1-pixel Scalable Vector Graphics (SVG) elements with an ‘onload’ handler inside many e-commerce websites’ HTML.
“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” the researchers said. They explained that with this technique, the attackers did not have to create external script references that usually get picked up by security scanners. “The entire malware lives inline, encoded as a single string attribute.”
Article continues below
Leveraging PolyShell
People who would try to buy something from these websites would, during checkout, be presented with a fake “Secure Checkout” overlay that includes card details fields and a billing form.
Everything they would submit this way would then be validated in real-time using the Luhn verification, and then sent to an attacker-controlled server in an XOR-encrypted, base64-obfuscated JSON format.
The researchers found a total of six domains used for data exfiltration, all of which were hosted in the Netherlands. Each was getting data from up to 15 confirmed victims.
Discussing how the websites may have been compromised, Sansec said it was possible that the attackers leveraged PolyShell, a vulnerability plaguing stable version 2 installations of Magento Open Source and Adobe Commerce, which was discovered in mid-March this year. Sansec, who were also the ones to discover PolyShell, warned about ongoing attacks at the time.
“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.
This remains the case today, and Sansec recommends users hunt for hidden SVG tabs, as well as monitor and block traffic coming from the attackers’ servers.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
