Hackers Use Pixel-Sized SVG Trick to Hide Credit Card Stealer in Magento Stores

Hackers are using an ingenious technique to hide credit card-stealing malware in Magento e-commerce stores, embedding the malicious code inside a pixel-sized SVG image that bypasses traditional security scanners.

The SVG Payload Trick

The attack, discovered by eCommerce security firm Sansec, injects malware as a 1x1-pixel SVG element with an onload handler into compromised websites' HTML. When victims click the checkout button, they're presented with a convincing fake "Secure Checkout" overlay that captures and validates their payment information.

"The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout," Sansec explains. "This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute."

This approach is particularly effective because it keeps the malicious code entirely within the page's HTML rather than loading external scripts that security tools can more easily detect and block.

How the Attack Works

When unsuspecting buyers proceed to checkout on compromised stores, the malicious script intercepts their click and displays the fake overlay. The overlay includes card details fields and a billing form that appears legitimate to victims.

Payment data submitted through this fake interface undergoes real-time validation using the Luhn algorithm—the same verification method legitimate payment processors use to check credit card numbers. This validation step makes the attack more convincing and helps ensure the stolen data is usable.

The exfiltrated data is sent to the attackers in an XOR-encrypted, base64-obfuscated JSON format, making it harder to detect in network traffic.

The PolyShell Vulnerability Connection

Sansec researchers believe attackers gained initial access by exploiting the PolyShell vulnerability disclosed in mid-March. This critical flaw affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and complete account takeover.

"More than half of all vulnerable stores were targeted in PolyShell attacks," Sansec warned. In some cases, these attacks deployed payment card skimmers using WebRTC for stealthy data exfiltration, demonstrating how attackers chain vulnerabilities for maximum impact.

Scale and Infrastructure

The campaign has impacted nearly 100 online stores, with Sansec identifying six exfiltration domains hosted at IncogNet LLC (AS40663) in the Netherlands. Each domain receives data from 10 to 15 confirmed victim stores, suggesting a well-organized operation with infrastructure designed to handle data from multiple compromised sites.

Protection and Mitigation

Sansec recommends several immediate actions for Magento store owners:

• Search for hidden SVG tags: Look for SVG elements with onload attributes containing atob() calls and remove them from site files
• Check browser storage: Monitor for the presence of _mgx_cv key in browser localStorage, which indicates payment data may have been stolen
• Monitor network requests: Block requests to /fb_metrics.php or any unfamiliar analytics-like domains
• Block malicious infrastructure: Block all traffic to IP address 23.137.249.67 and associated domains

Adobe's Response and Ongoing Risk

As of publication, Adobe has not released a security update to address the PolyShell flaw in production versions of Magento. The company has only made a fix available in the pre-release version 2.4.9-alpha3+.

Adobe has not responded to repeated requests for comment on the vulnerability and ongoing attacks, leaving Magento store owners in a difficult position.

Website owners and administrators are advised to apply all available mitigations immediately and, if possible, upgrade to the latest beta release despite the inherent risks of running pre-production software.

Broader Context

This attack demonstrates how threat actors continue to evolve their techniques to evade detection. By using legitimate HTML elements like SVG images and encoding payloads to avoid external script references, attackers can bypass many traditional security controls.

The campaign also highlights the critical importance of prompt patching, as the PolyShell vulnerability has been publicly known for weeks yet remains unpatched in production Magento versions. This delay between vulnerability disclosure and patch availability creates a window of opportunity that sophisticated attackers are quick to exploit.

For e-commerce businesses, this serves as a reminder that security requires constant vigilance, rapid response to vulnerabilities, and layered defenses that can catch attacks even when initial prevention measures fail.