- Experts Discover Credit Card Skimmer Hidden in 1×1 SVG Image
- Fake “secure payment” overlay stole card data
- Possibly exploited Magento PolyShell flaw, affecting many stores
Security researchers recently discovered a credit card skimmer on nearly a hundred compromised e-commerce websites, hidden in a small image.
Sansec experts reported finding 1×1 pixel SVG (Scalable Vector Graphics) elements with an “onload” handler in the HTML of many e-commerce sites.
“The onload handler contains the entire skimmer payload, base64-encoded in an atob() call and executed via setTimeout,” the researchers said. They explained that with this technique, attackers do not need to create external script references that are usually detected by security scanners. “The entire malware is embedded, encoded as a single string attribute. »
Article continues below
Leveraging PolyShell
People attempting to purchase something from these websites would be presented with a fake “secure payment” overlay including card detail fields and a billing form during checkout.
Anything they submit in this manner would then be validated in real-time using Luhn verification, then sent to an attacker-controlled server in an XOR-encrypted and base64-obfuscated JSON format.
Researchers discovered a total of six domains used for data exfiltration, all hosted in the Netherlands. Each received data on up to 15 confirmed victims.
Discussing how the websites may have been compromised, Sansec said it was possible the attackers exploited PolyShell, a vulnerability that affects stable installations of Magento Open Source and Adobe Commerce version 2, discovered in mid-March this year. Sansec, who also discovered PolyShell, then warned of the ongoing attacks.
“Massive PolyShell exploitation began on March 19 and Sansec has now detected PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
Adobe fixed it, but the fix was only available in the second alpha release of 2.4.9, meaning production builds remained vulnerable.
This remains the case today, and Sansec recommends users to scan for hidden SVG tabs, as well as monitor and block traffic from attackers’ servers.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
