Full Report
A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image. [...]
Analysis Summary
# Tool/Technique: SVG Onload Magecart Skimmer
## Overview
This technique involves a sophisticated credit card skimming campaign targeting Magento e-commerce platforms. It utilizes a pixel-sized Scalable Vector Graphics (SVG) image to embed malicious JavaScript. The primary purpose is to intercept checkout processes and steal customer payment information (PII and credit card data) through fake overlays.
## Technical Details
- **Type:** Malware (Magecart Skimmer)
- **Platform:** Magento Open Source, Adobe Commerce (v2)
- **Capabilities:** Credential/Data theft, UI Redressing (Overlay), Data Validation (Luhn algorithm), Exfiltration.
- **First Seen:** April 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (PolyShell vulnerability)
- **TA0003 - Persistence**
- T1505.003 - Server Software Component: Web Shell (via PolyShell RCE)
- **TA0005 - Defense Evasion**
- T1140 - Deception/Encoding: Base64 and XOR Obfuscation
- T1027 - Obfuscated Files or Information: Inline SVG script injection
- **TA0006 - Credential Access**
- T1556 - Modify Authentication Process (Payment form interception)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Stealthy Injection:** The malware is injected as a 1x1-pixel SVG element within the site's HTML. It uses an `onload` handler to execute code, avoiding external script tags that security scanners often flag.
- **Payload Execution:** The malicious payload is Base64-encoded inside an `atob()` call and executed via `setTimeout()`.
- **Payment Interception:** Intercepts clicks on the "Checkout" button to disrupt the legitimate flow.
- **Fake Overlay:** Displays a convincing "Secure Checkout" UI overlay to collect card numbers, CVVs, and billing addresses.
### Advanced Features
- **Real-time Validation:** Uses the Luhn algorithm to verify credit card number validity before exfiltration, ensuring the quality of stolen data.
- **Obfuscated Exfiltration:** Data is packaged into JSON, XOR-encrypted, and Base64-obfuscated before being sent to the C2.
- **Local Storage Usage:** Utilizes browser `localStorage` (specifically a key named `_mgx_cv`) to track state or store data.
## Indicators of Compromise
- **File Hashes:** N/A (Code is injected inline into database/HTML templates)
- **File Names:** `fb_metrics.php` (targeted URI for exfiltration)
- **Local Storage:** `_mgx_cv`
- **Network Indicators:**
- `23[.]137[.]249[.]67` (IP Address)
- `atob()` calls within SVG `onload` attributes
- **Behavioral Indicators:**
- Sudden appearance of `atob()` or `setTimeout()` within SVG tags.
- Unexpected network calls to external domains during the checkout process.
## Associated Threat Actors
- **Magecart Groups:** (Specific group identifier not assigned, but follows Magecart TTPs).
## Detection Methods
- **Signature-based:** Scan website source code or database dumps for the pattern: `<svg ... onload="...atob(...setTimeout(...">`.
- **Behavioral:** Monitor for unexpected DOM changes (overlays) triggered by clicks on buttons with IDs related to checkout.
- **Client-Side Monitoring:** Alert on the creation of the `_mgx_cv` key in browser `localStorage`.
- **Network Level:** Monitor for POST requests to unfamiliar domains or the specific `/fb_metrics.php` endpoint.
## Mitigation Strategies
- **Patch Management:** Upgrade Magento/Adobe Commerce to version 2.4.9-alpha3+ or apply mitigations for the PolyShell vulnerability.
- **Content Security Policy (CSP):** Implement a strict CSP to prevent the execution of inline scripts and restrict the domains to which data can be sent (Connect-src).
- **Subresource Integrity (SRI):** While this impacts local files more, ensuring all third-party scripts are hashed can prevent secondary infections.
- **Integrity Monitoring:** Use File Integrity Monitoring (FIM) or database triggers to detect unauthorized changes to the site's HTML templates.
## Related Tools/Techniques
- **PolyShell Flaw:** The unauthenticated RCE vulnerability used for initial entry.
- **WebRTC Exfiltration:** A similar stealthy exfiltration method previously used by these actors.
- **UI Redressing:** General technique of overlaying malicious elements on top of legitimate ones.