Cybersecurity researchers have uncovered a new tactic employed by MageCart hackers to steal sensitive credit card information from e-commerce websites.
The attackers are embedding malicious JavaScript within <img> tags on Magento-based checkout pages, leveraging the inherent trust browsers place in such HTML elements to evade detection.
This technique represents a significant evolution in the persistent threat posed by MageCart malware.
Base64 Encoding and Onerror Exploitation
The malicious script is concealed within Base64-encoded content embedded in an <img> tag, which typically appears harmless to both users and security tools.
Unlike legitimate image references that point to file paths or URLs, this encoded content does not correspond to actual image data.
Instead, it contains JavaScript code designed to activate when an onerror event is triggered an event normally used to handle image loading errors.
When the browser encounters an error loading the image, the onerror function executes the embedded JavaScript instead of displaying a broken image icon.
This clever misuse of a standard event handler allows the malware to bypass many security mechanisms while remaining inconspicuous.
How the Malware Operates
According to the Sucuri blog, the attack is highly targeted, activating only on checkout pages where users input payment details.
The script first verifies that the user is on the correct page and ensures it has not already executed during the current session.
Once these conditions are met, it waits for user interaction, such as clicking a “Submit” button.
At this point, the malware dynamically inserts a hidden form into the page, capturing sensitive information like credit card numbers, expiration dates, and CVV codes.
The data is then encoded and transmitted to a remote server controlled by the attackers, often using domains like “wellfacing[.]com.”
To further avoid detection, the script monitors changes to specific webpage elements and reinserts its malicious form if removed.
This ensures continuous operation without raising suspicion among users or site administrators.
MageCart attacks like this one highlight the increasing sophistication of cybercriminal tactics targeting online retailers.
By exploiting trusted web elements such as <img> tags and encoding malicious payloads in Base64, attackers achieve two critical objectives: avoiding detection by automated security tools and maintaining stealth during user interactions.
The consequences for affected businesses are severe.
Beyond financial losses for customers, companies face reputational damage and potential blacklisting by payment processors or search engines.
For consumers, these attacks underscore the risks associated with online shopping and emphasize the need for vigilance when entering payment details.
To combat such threats, e-commerce operators must adopt proactive security measures:
- Regularly update software platforms like Magento with the latest patches.
- Implement Web Application Firewalls (WAF) to detect and block suspicious activity.
- Enforce strong passwords and enable two-factor authentication for administrative access.
- Periodically scan website code for anomalies, particularly on checkout pages.
- Disable guest checkouts where feasible to reduce exposure to automated attacks.
As cybercriminals continue to refine their techniques, robust security practices remain essential for safeguarding both business operations and customer trust.
