Hackers learned how to steal money using an invisible pixel

A massive attack on Magento-based online stores has demonstrated how sophisticated attackers have become. Almost a hundred sites were infected with hidden malicious code that disguises itself as a regular page element and invisibly intercepts customers' payment data.

on April 7, the Sansec team detected a new wave of Magecart attacks. The malware was injected directly into the HTML code of pages using a tiny SVG element of one pixel in size. Inside the onload attribute was a coded script that ran automatically when the page loaded. This approach made it possible to bypass many security features, since external scripts were not detected during the check.

After the infection, the site continued to work as usual, but when the user tried to proceed to payment, he saw a fake «Secure Checkout» window. The interface looked convincing: a card entry form, checking the number using the Luna algorithm, fields for the address and other data. After entering the information, the script sent the data to the attackers and redirected the customer to the real payment page. In most cases, the spoofing went unnoticed.

The collected data was encrypted using a simple XOR with the «script» key, then encoded in base64 and sent to one of six domains. All addresses led to the same server in the Netherlands. The endpoint was disguised as a Facebook analytics service, which further complicated detection.

The likely entry point, according to Sansec, was the exploitation of the PolyShell vulnerability. The vulnerability continues to affect unprotected Magento stores and allows malicious files to be downloaded without any restrictions.

After data transfer, the script saved a special token in the browser’s localStorage to avoid re-intercepting the information and returned the user to the normal checkout scenario.

The attack affected 99 stores, and some of the domains used for data extraction had not been used in similar campaigns before. Experts recommend checking the code of pages for suspicious SVG elements, analyzing network requests, and urgently closing file upload vulnerabilities.