- Experts Find a Credit Card Skimmer Hidden in a 1×1 SVG Image
- Fake ‘Secure Payment’ Overlay Stole Card Data
- A Magento PolyShell flaw that affects many stores was probably exploited
Security researchers recently found a credit card skimmer on nearly a hundred compromised e-commerce websites hidden in a tiny image.
Sansec experts reported finding 1×1 pixel scalable vector graphics (SVG) elements with an “upload” handler within the HTML of many e-commerce websites.
“The load handler contains the entire skimmer payload, base64-encoded within an atob() call and executed via setTimeout,” the researchers said. They explained that with this technique, attackers did not have to create references to external scripts that are normally detected by security scanners. “All malware lives online, encoded as a single string attribute.”
Article continues below.
Leveraging PolyShell
People trying to purchase something on these websites would be presented, during the checkout process, with a fake “Secure Payment” overlay that includes card details fields and a billing form.
Anything they sent this way would be validated in real-time using Luhn verification and then sent to a server controlled by the attacker in a base64-obfuscated, XOR-encrypted JSON format.
Investigators found a total of six domains used for the data breach, all of them hosted in the Netherlands. Each was obtaining data on up to 15 confirmed victims.
Discussing how the websites may have been compromised, Sansec said it was possible that attackers exploited PolyShell, a vulnerability affecting stable version 2 installations of Magento Open Source and Adobe Commerce, which was discovered in mid-March this year. Sansec, which also discovered PolyShell, warned about the attacks underway at the time.
“The massive PolyShell exploit began on March 19 and Sansec has found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
Adobe patched it, but the fix was only available in the second alpha version for version 2.4.9, meaning production versions were still vulnerable.
This is still the case today, and Sansec recommends users look for hidden SVG tabs, as well as monitor and block traffic coming from attackers’ servers.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
