Now that's different - hackers use miniature SVG images to try and hide credit card stealer

News
By published

Card skimmers were found in 1x1 pixel SVG images

Someone typing at a keyboard, with an ecommerce shopping cart symbol floating in the air.
(Image credit: Song_About_Summer / Shutterstoc)
  • Experts find credit card skimmer hidden in 1x1 SVG image
  • Fake “Secure Checkout” overlay stole card data
  • Likely exploited Magento PolyShell flaw, affecting many stores

Security researchers recently found a credit card skimmer on almost a hundred compromised ecommerce websites hiding in a tiny image.

Experts from Sansec reported finding 1x1-pixel Scalable Vector Graphics (SVG) elements with an ‘onload’ handler inside many e-commerce websites’ HTML.

“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” the researchers said. They explained that with this technique, the attackers did not have to create external script references that usually get picked up by security scanners. “The entire malware lives inline, encoded as a single string attribute.”

Article continues below

Leveraging PolyShell

People who would try to buy something from these websites would, during checkout, be presented with a fake “Secure Checkout” overlay that includes card details fields and a billing form.

Everything they would submit this way would then be validated in real-time using the Luhn verification, and then sent to an attacker-controlled server in an XOR-encrypted, base64-obfuscated JSON format.

The researchers found a total of six domains used for data exfiltration, all of which were hosted in the Netherlands. Each was getting data from up to 15 confirmed victims.

Discussing how the websites may have been compromised, Sansec said it was possible that the attackers leveraged PolyShell, a vulnerability plaguing stable version 2 installations of Magento Open Source and Adobe Commerce, which was discovered in mid-March this year. Sansec, who were also the ones to discover PolyShell, warned about ongoing attacks at the time.

“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.

Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.

This remains the case today, and Sansec recommends users hunt for hidden SVG tabs, as well as monitor and block traffic coming from the attackers’ servers.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.