Hackers Use SVG onload Trick to Hide Magecart Skimmer on Magento Checkout Pages

Security researchers have uncovered a stealthy Magecart campaign abusing SVG image elements to hide credit card skimmers on Magento checkout pages, impacting nearly 100 online stores.

According to Sansec, attackers deployed a sophisticated skimmer designed to evade traditional security tools while silently harvesting payment data.

The campaign primarily targets Magento-based e-commerce platforms, with evidence suggesting exploitation of the long-standing PolyShell vulnerability as the initial access vector.

This vulnerability continues to affect unpatched Magento environments, allowing attackers to inject malicious code directly into store pages.

SVG Onload Injection Technique

Instead of relying on external JavaScript files, which are often detected by security scanners, the attackers embed their entire payload within a tiny, invisible SVG image.

The malicious code is base64-encoded and executed via the SVG’s onload event. Because the payload resides inline within HTML, it bypasses many detection mechanisms that look for suspicious third-party scripts.

For example, a 1×1 pixel SVG element is injected into the checkout page, triggering execution as soon as the page loads without raising visible indicators.

Once active, the skimmer waits for user interaction. It attaches a useCapture event listener to intercept clicks on checkout buttons before legitimate scripts can respond.

When a shopper attempts to proceed to checkout:

• The malware blocks the original action.
• A fake “Secure Checkout” overlay is displayed.
• The overlay mimics legitimate payment forms, increasing the likelihood of user trust.

javascriptdocument.addEventListener(
  "click",
  function (e) {
    var el = e.target.closest('a,button,[role="button"]');
    if (!el) return;
    var href = el.getAttribute("href") || "";
    if (
      (href && checkoutUrl.includes(href)) ||
      el.getAttribute("data-role") === "proceed-to-checkout" ||
      el.id === "top-cart-btn-checkout"
    ) {
      e.preventDefault();
      e.stopImmediatePropagation();
      show(); // display fake checkout overlay
    }
  },
  true,
);

This approach ensures victims unknowingly submit their payment details directly to the attacker-controlled script.

After capturing the data, the malware encrypts it using a simple XOR cipher with the key “script,” followed by base64 encoding. This dual-layer obfuscation helps evade detection during transmission.

The stolen data is then sent via POST requests to attacker-controlled domains, disguised as Facebook analytics traffic using endpoints like /fb_metrics.php. To further evade analysis, destination URLs are double-encoded.

Notably, all identified domains resolve to the IP address 23.137.249.67, hosted by IncogNet in the Netherlands.

To reduce suspicion, the skimmer sets a browser flag (_mgx_cv) in local storage after successful data theft, preventing repeated targeting of the same user.

Finally, victims are redirected back to the legitimate checkout page, making the attack virtually invisible from a user perspective.

Indicators of Compromise

Key indicators linked to this campaign include:

• Inline SVG elements with onload JavaScript execution.
• Base64-encoded payloads executed via atob() and setTimeout.
• Data exfiltration to domains resolving to 23.137.249.67.
• Network requests to /fb_metrics.php endpoints.
• Presence of _mgx_cv in-browser local storage.

This campaign highlights how attackers continue to evolve Magecart techniques, leveraging lesser-monitored HTML features like SVG to bypass defenses and compromise online shoppers at scale.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Hackers Use SVG onload Trick to Hide Magecart Skimmer on Magento Checkout Pages appeared first on Cyber Security News.