- Experts find credit card skimmer hidden in 1×1 SVG image
- Fake “Secure Checkout” overlay stole card data
- Likely exploited Magento PolyShell bug affecting many stores
Security researchers recently found a credit card skimmer on nearly a hundred compromised e-commerce sites hiding in a small image.
Experts from Sansec reported finding 1×1-pixel Scalable Vector Graphics (SVG) elements with an ‘onload’ handler in the HTML of many e-commerce websites.
“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” the researchers said. They explained that with this technique, the attackers did not need to create external script references, which are usually caught by security scanners. “The entire malware lives inline, encoded as a single string attribute.”
The article continues below
Exploitation of PolyShell
People who would try to buy something from these sites will be presented with a fake “Secure Checkout” overlay during checkout that includes card information fields and a billing form.
Anything they would submit this way would then be validated in real-time using the Luhn verification and then sent to an attacker-controlled server in an XOR-encrypted, base64-obfuscated JSON format.
The researchers found a total of six domains used for data exfiltration, all of which were hosted in the Netherlands. Each received data from up to 15 confirmed victims.
Discussing how the websites may have been compromised, Sansec said it was possible the attackers exploited PolyShell, a vulnerability that plagues stable version 2 installations of Magento Open Source and Adobe Commerce, which was discovered in mid-March this year. Sansec, who were also the ones who discovered PolyShell, warned at the time about ongoing attacks.
“Mass exploitation of PolyShell started on March 19, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving an insignificant number of targeted sites.
Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.
This remains the case today, and Sansec recommends that users hunt for hidden SVG tabs, as well as monitor and block traffic coming from the attackers’ servers.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
