Cybercriminals Embedded Credit Card Stealer Script Within <img> Tag

Cybersecurity researchers have uncovered a new MageCart malware campaign targeting e-commerce websites running on the Magento platform.

This attack exploits <img> HTML tags to conceal malicious JavaScript skimmers, enabling cybercriminals to steal sensitive payment information while evading detection by security tools.

MageCart, a term used to describe credit card skimming malware, has evolved with increasingly sophisticated techniques.

In this instance, attackers embedded Base64-encoded malicious scripts within <img> tags on checkout pages, an area where users input their credit card details.

The malware activates when users interact with the checkout process, stealing information such as card numbers, expiration dates, and CVV codes.

Exploiting Browser Trust

The <img> tag is typically considered harmless and widely trusted by browsers.

This trust is exploited by embedding the malicious script within a Base64-encoded string that does not reference any actual image file.

Additionally, an onerror event handler is used to execute JavaScript if the image fails to load.

While this event is generally employed for legitimate purposes like handling broken images, attackers have repurposed it to activate their skimming script.

According to Sucuri Report, the malware’s placement on the checkout page further enhances its stealth.

By limiting its presence to this critical section of the website, it minimizes the likelihood of detection during routine scans.

Once activated, the script dynamically injects a fake form into the webpage to collect payment details without alerting users.

Decoding and Functionality of the Malicious Script

Upon decoding the Base64 content, researchers found that the script first verifies whether it is running on a checkout page and ensures it hasn’t already executed during the session.

When users submit their payment details, a function named magictrick() is triggered.

This function collects credit card data and transmits it to a remote server controlled by the attackers.

The stolen information is sent to domains such as “wellfacing[.]com,” where it is likely stored for fraudulent use or sale on dark web marketplaces.

To avoid suspicion, the script also validates input fields to ensure only numeric characters are accepted in credit card fields.

It monitors changes in the webpage layout and reinserts itself if necessary, maintaining its presence undetected.

This attack underscores the growing sophistication of MageCart campaigns and their ability to exploit seemingly benign elements like <img> tags for malicious purposes.

Such breaches can have devastating consequences for both consumers and businesses.

Stolen credit card data leads to financial fraud for victims, while affected businesses face reputational damage and potential penalties from regulatory bodies.

To mitigate such threats, e-commerce operators should:

• Regularly update their website software and apply security patches.
• Implement Web Application Firewalls (WAF) to detect and block malicious activities.
• Enforce strong administrator passwords and enable two-factor authentication (2FA).
• Conduct frequent security audits of their websites, particularly focusing on checkout pages.

As online shopping continues to grow, so does the need for robust cybersecurity measures to safeguard sensitive customer data from evolving threats like MageCart attacks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free