Cybersecurity researchers have identified a credit card stealing malware campaign targeting e-commerce sites running Magento. The malware disguises malicious content within image tags in HTML code to evade detection.
MageCart is a notorious malware known for stealing payment information from online shopping sites. These attacks utilize various techniques to compromise websites and deploy credit card skimmers to facilitate theft.
The malware is usually activated when users reach checkout pages to enter credit card details, either by serving fake forms or capturing information in real time.
The term “MageCart” refers to the original target, the Magento platform, which provides shopping cart features for online retailers. These cybercrime groups have evolved their tactics over time, concealing malicious code within seemingly harmless sources.
“The malware in this case aims to remain hidden by disguising malicious content inside an <img> tag,” explained Sucuri researcher Kayleigh Martin. “This makes it easy to overlook as <img> tags often contain long strings.”
The malware utilizes the onerror event in the <img> tag to trigger JavaScript code, making the attack more deceptive.
The attack takes advantage of the innocuous nature of the <img> HTML element and waits for users on the checkout page to submit sensitive payment information.
The malicious script inserts a form to steal payment information and exfiltrate it to an external server.
The attackers aim to evade detection by encoding the malicious script within an <img> tag and ensuring that users do not notice any suspicious changes.
A recent incident involved a WordPress site using must-use plugins to execute malicious PHP code stealthily.
Attackers leverage the must-use plugins directory for persistence and to evade detection, as these files execute automatically without appearing in the standard plugin list.
