Cybersecurity researchers have uncovered a stealthy credit card skimming campaign targeting e-commerce sites powered by Magento. Threat actors are exploiting the <onerror> event in <img> tags to inject malicious JavaScript, allowing them to harvest sensitive payment information without detection.
Magecart Skimmers: A Persistent Cyber Threat
Magecart refers to a collective of cybercriminal groups that specialize in stealing payment card details from online stores. These attackers employ both client-side and server-side techniques to embed skimming malware into e-commerce sites, compromising checkout pages to exfiltrate payment credentials.
Typically, these skimmers activate when a user enters their payment details at checkout. The malicious code either overlays a fake form or captures the data in real time, transmitting it to an attacker-controlled server.
Historically, Magecart campaigns have evolved to evade security measures by embedding malicious scripts in seemingly harmless elements such as images, audio files, favicons, and even 404 error pages. This latest attack follows the same approach, leveraging <img> tags as a decoy to remain undetected.
How the Attack Works: JavaScript Execution via Onerror Event
According to Sucuri researcher Kayleigh Martin, this attack conceals JavaScript payloads within the <img> tag, utilizing Base64 encoding to obscure its presence. The malicious code is triggered through the <onerror> event, a browser function designed to handle image loading failures.
"If an image fails to load, the onerror function usually displays a broken image icon. However, in this case, attackers hijack the event to execute JavaScript instead," Martin explained.
Since <img> tags are generally perceived as non-threatening, security scanners often overlook them. The malware specifically checks if the user is on a checkout page, then activates once the submit button is clicked, silently transmitting payment data to an external server.
Malicious Form Injection and Data Exfiltration
The injected JavaScript dynamically inserts a rogue payment form containing fields for:
Card Number
Expiration Date
CVV
Once the user submits their payment details, the malware forwards the stolen information to a remote server hosted at wellfacing[.]com.
This technique allows attackers to evade detection while ensuring that users remain unaware of any tampering. "By encoding the malicious script within an <img> tag, attackers bypass security scans while keeping the form insertion seamless," Martin noted.
Expanding Beyond Magento: WordPress Backdoors
In a related discovery, cybersecurity analysts found attackers leveraging the mu-plugins (must-use plugins) directory in WordPress to implant backdoors. Unlike regular plugins, must-use plugins are automatically loaded on every page without appearing in the WordPress admin panel, making them an attractive target for persistent malware.
"Attackers exploit this directory to maintain stealth and evade detection, as these files execute automatically and are difficult to disable," said Puja Srivastava.
Protecting E-Commerce Sites from Magecart Attacks
Given the increasing sophistication of payment skimming attacks, e-commerce site owners should take proactive steps to secure their platforms:
Monitor for unauthorized JavaScript injections using security tools.
Implement Content Security Policy (CSP) to prevent malicious scripts from executing.
Regularly update Magento, WooCommerce, and PrestaShop to patch known vulnerabilities.
Scan for obfuscated code within
<img>tags and other HTML elements.Use Web Application Firewalls (WAFs) to detect and block Magecart-style threats.
As cybercriminals continue refining their tactics, businesses must stay vigilant against emerging threats. Proactive security measures and regular audits can help prevent financial losses and protect customers from data breaches.
Stay Updated on Cybersecurity News
For the latest insights on cybersecurity threats, malware analysis, and digital defense strategies, follow our blog and stay ahead of cybercriminal tactics.