Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores
Security researchers have identified a large-scale campaign targeting nearly 100 online stores running the Magento e-commerce platform. Attackers embedded credit card stealing scripts inside pixel-sized Scalable Vector Graphics (SVG) images, enabling the theft of payment data while remaining concealed from conventional detection methods.
What happened
A massive skimming campaign was uncovered where hackers compromised nearly 100 Magento online stores. Instead of traditional JavaScript injections, the malicious actors hid their credit card stealing code inside an SVG image only a pixel in size. This steganographic technique allows the malicious code to blend into the store's visual content, bypassing many security checks and thwarting detection mechanisms that focus on script injections.
The use of pixel-sized SVG images to conceal web skimmers represents an evolution in attack tactics, leveraging the flexibility of vector graphics to embed malicious payloads invisibly on compromised e-commerce websites. This novel approach complicates the efforts of defenders trying to detect and remove the skimming scripts from affected stores.
Why it matters
The campaign highlights an increasing sophistication in web skimming tactics targeting e-commerce platforms, particularly Magento, which remains a popular choice for online retailers. By embedding credit card stealer code in SVG images, attackers evade traditional detection tools designed to identify script-based malicious injections, posing a significant risk to consumers’ payment information.
For online retailers, such obfuscation techniques can result in prolonged compromises, increased data theft, and ultimately damage to reputation and customer trust. This incident underscores the need for enhanced security monitoring and novel detection approaches to identify attacks hidden within unconventional elements like SVG files.
What security teams should do
Security teams responsible for Magento stores should conduct comprehensive code audits that include examining SVG and other media files for embedded code. Monitoring for unusual network requests emanating from or to SVG files can also help identify potential compromises.
Additionally, implementing content security policies (CSPs) that restrict where scripts can be loaded from, and regularly updating Magento installations and extensions, may reduce the attack surface. Leveraging web application firewalls (WAFs) configured to detect anomalous payloads can provide further protection against such skimming attempts.
Key technical details
The attackers employed a technique that conceals credit card stealing scripts inside an SVG image reduced to a single pixel in size. This vector graphic contains embedded malicious code executed when the compromised Magento store loads the image.
Because SVG files are typically expected to contain harmless graphical data and are seldom scrutinized for active scripting, the malicious code remains hidden from standard script scanning methods. This method exploits the SVG format's ability to contain embedded scripts and events, which can be triggered in the victim's browser to intercept payment details during checkout.
Affected organizations/products
Nearly 100 online stores built on the Magento e-commerce platform have been impacted by this campaign. No other platforms or products were reported as affected by this specific SVG-based credit card stealing technique.
Source attribution
