Hidden Credit Card Stealer Impacts Magento Sites

Magento is a popular eCommerce CMS platform used by business owners to sell a variety of items. Because the CMS accepts credit card information, it is often a popular platform for attackers to exploit vulnerabilities and inject code that steals credit card information. In most cases, the type of attackers that target eCommerce platforms with the end goal of stealing credit cards are quite sophisticated, and therefore their malware is too. In this piece of malware I recently found, the malware was carefully crafted to hide in an img tag to avoid detection.

Hiding in an img tag

An img tag is used for exactly what it sounds like – storing an image. But in this particular case, the malware was base64 encoded and hidden within an image tag as opposed to legitimate code to reference an image. The base64-encoded content is followed by an onerror function, which gets triggered if there’s an issue loading a file or image. Normally, if an image doesn’t load, the onerror function just tells the browser to show a broken image icon. But in this case, the onerror event is being hijacked to run JavaScript instead. To summarize:

• The credit card stealer is hidden inside a base64-encoded string within an img tag to help it avoid detection
• A onerror event is triggered when the image or file fails to load
• Normally this causes a broken image icon to appear in the browser
• In this case however, the onerror event is being abused to execute malicious JavaScript instead

This carefully crafted piece of malware shows new ways attackers are injecting malware into Magento websites to avoid detection and keep their malware hidden as long as possible.