Security researchers at Sansec uncovered a large-scale Magecart campaign targeting Magento e-commerce platforms.
Nearly 100 online stores were infected with a sophisticated credit card skimmer. To evade security scanners and steal shopper payment data seamlessly, attackers concealed the malicious payload inside an invisible SVG image element.
Threat intelligence suggests the attackers likely breached the sites using the PolyShell vulnerability, an exploit that continues to plague unpatched Magento environments.
The SVG Injection Technique
Instead of loading external scripts, which are frequently flagged by security tools, the threat actors embed a 1×1 pixel SVG image directly into the store’s HTML.
The entire skimmer payload is base64-encoded and executed inline through the SVG’s onload event handler.
Here is the exact injection method:
xmlBy keeping the malware fully inline and encoded within a single string attribute, the attackers successfully bypass traditional monitoring that looks for malicious external script references.
Once injected, the skimmer patiently waits for a shopper to click any checkout button. It intercepts the user’s action using a useCapture event listener, prioritizing its own execution before the store’s legitimate handlers.
The shopper is then shown a highly convincing, full-screen “Secure Checkout” overlay that features realistic card validation and billing fields. The malware intercepts the navigation using the following JavaScript payload:
javascriptdocument.addEventListener(
"click",
function (e) {
var el = e.target.closest('a,button,[role="button"]');
if (!el) return;
var href = el.getAttribute("href") || "";
if (
(href && checkoutUrl.includes(href)) ||
el.getAttribute("data-role") === "proceed-to-checkout" ||
el.id === "top-cart-btn-checkout"
) {
e.preventDefault();
e.stopImmediatePropagation();
show(); // display fake checkout overlay
}
},
true,
);After the victim submits their payment details, the malware encrypts the stolen data using an XOR cipher with the key "script", followed by base64 encoding.
The harvested information is sent to one of six attacker-controlled domains, cleverly disguised to look like legitimate Facebook analytics traffic (/fb_metrics.php). To ensure maximum stealth, the skimmer double-encodes the destination URLs.
According to Sansec, once the data is successfully exfiltrated, the malware sets a browser storage flag (localStorage.setItem('_mgx_cv', '1')) to avoid targeting the same shopper twice.
Finally, the victim is silently redirected to the real checkout page, leaving them completely unaware that their payment data was compromised.
Indicators of Compromise
Exfiltration domains
All six domains resolve to 23.137.249.67, hosted at IncogNet LLC (AS40663) in the Netherlands.
| Domain | Confirmed victims |
|---|---|
statistics-for-you.com | 15 |
statistics-renew.com | 14 |
morningflexpleasure.com | 14 |
reusable-flex.com | 12 |
goingfatter.com | 11 |
wellfacing.com | 10 |
Technical indicators
| Indicator | Value |
|---|---|
| Injection method | |
| Payload encoding | base64 via atob(), executed via setTimeout |
| Data encoding | XOR with key "script", then base64 |
| Exfil endpoint | /fb_metrics.php |
| Exfil method | fetch() POST no-cors, fallback hidden iframe |
| localStorage key | _mgx_cv |
| Campaign marker | {site:'rand0m'} in payload array |
| Exfil server | 23.137.249.67 (IncogNet LLC, AS40663, NL) |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
