A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image.

When clicking the checkout button, the victim is shown a convincing overlay that can validate card details and billing data.

The campaign was discovered by eCommerce security company Sansec, whose researchers believe that the attacker likely gained access by exploiting the PolyShell vulnerability disclosed in mid-March.

PolyShell impacts all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.

Sansec warned that more than half of all vulnerable stores were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.

In the latest campaign, the researchers found that the malware is injected as a 1x1-pixel SVG element with an ‘onload’ handler into the target website’s HTML.

“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” Sansec explains.

“This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.”

When unsuspecting buyers click checkout on compromised stores, a malicious script intercepts the click and displays a fake “Secure Checkout” overlay that includes card details fields and a billing form.

Payment data submitted on this page is validated in real time using the Luhn verification and exfiltrated to the attacker in an XOR-encrypted, base64-obfuscated JSON format.

Sansec identified six exfiltration domains, all hosted at IncogNet LLC (AS40663) in the Netherlands, and each getting data from 10 to 15 confirmed victims.

To protect against this campaign, Sansec recommends the following:

• Look for hidden SVG tags with an onload attribute using atob() and remove them from your site files
• Check if the _mgx_cv key exists in browser localStorage, as this indicates payment data may have been stolen
• Monitor and block requests to /fb_metrics.php or any unfamiliar analytics-like domains
• Block all traffic to the IP address 23.137.249.67 and associated domains

As of writing, Adobe has still not released a security update to address the PolyShell flaw in production versions of Magento. The vendor has only made a fix available in the pre-release version 2.4.9-alpha3+.

Also, Adobe has not responded to our repeated requests for a comment on the topic.

Website owners/admins are advised to apply all available mitigations and, if possible, upgrade Magento to the latest beta release.