Advanced Multi-Stage Carding Attack Hits Magento Site Using Fake GIFs and Reverse Proxy Malware

A multi-stage carding attack has been uncovered targeting a Magento eCommerce website running an outdated version 1.9.2.4.

This version, unsupported by Adobe since June 2020, left the site vulnerable due to unpatched security flaws.

The malware employed a deceptive .gif file, tampered browser sessionStorage data, and a malicious reverse proxy server to steal credit card details, login credentials, cookies, and other sensitive information.

The attack, which disrupted the site’s checkout process by preventing proper card input and order completion, highlights the critical risks of neglecting software updates on complex platforms like Magento, where migration to newer versions such as Magento 2 can be both costly and time-intensive.

Intricate Attack Mechanism: Fake GIFs and Reverse Proxy Tactics

The infection began with suspicious JavaScript code embedded between seemingly legitimate Bing UET tracking tags on the checkout page.

Closer inspection revealed a hidden reference to a Magento directory path, dynamically constructed via obfuscated string manipulation (e.g., concatenating “rep” and “lace” while ignoring decoy terms like “bing”).

This led to a bogus file path, “/media/magentothem/img/line.gif,” which, instead of an image, contained a malicious PHP script.

Decoding its obfuscated “backend_url” pointed to a remote server (217.12.207.38) orchestrating a reverse proxy.

Unlike a regular proxy or VPN that masks user identity, this reverse proxy intercepted and tampered with all site traffic-capturing headers, POST data, cookies, and session tokens-while rewriting responses to mimic legitimate domain interactions.

This made the interception nearly invisible to users and admins alike, with tampered Location headers and cookies ensuring the backend server’s identity remained hidden.

Additionally, a secondary injection in the checkout template file (onestepcheckout.phtml) used a user-specific key derived from the browser’s userAgent string to trigger client-side payloads via sessionStorage, executing card theft discreetly during checkout without leaving persistent traces post-session.

Urgent Call for Security and Mitigation Measures

According to Sucuri Report, this MageCart-style attack underscores the persistent threat to eCommerce platforms, particularly those on deprecated systems like Magento 1.

The malware’s multi-layered approach, combining server-side reverse proxy interception with client-side sessionStorage exploitation, demonstrates the advanced planning of threat actors.

For website administrators, the incident is a stark reminder to prioritize core updates and security patches, migrate to supported platforms like Magento 2, and deploy Web Application Firewalls (WAFs) to thwart such attacks.

Small business owners lacking technical expertise are urged to hire security professionals to safeguard customer trust and avoid penalties from payment processors like Visa for being identified as common points of purchase compromise.

For shoppers, vigilance is key-tools like Sitecheck can reveal outdated platforms, while browser security plugins and script blockers offer added protection against malicious JavaScript.

Ultimately, this case serves as a critical warning: neglecting eCommerce security not only jeopardizes customer data but also risks severe reputational and financial damage in an era of increasingly sophisticated cyber threats.