GoKawiilA massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image.
When clicking the checkout button, the victim is shown a convincing overlay that can validate card details and billing data.
The campaign was discovered by eCommerce security company Sansec, whose researchers believe that the attacker likely gained access by exploiting the PolyShell vulnerability disclosed in mid-March.
PolyShell impacts all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.
Sansec warned that more than half of all vulnerable stores were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.
In the latest campaign, the researchers found that the malware is injected as a 1x1-pixel SVG element with an ‘onload’ handler into the target website’s HTML.
“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” Sansec explains.
“This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.”
When unsuspecting buyers click checkout on compromised stores, a malicious script intercepts the click and displays a fake “Secure Checkout” overlay that includes card details fields and a billing form.
Payment data submitted on this page is validated in real time using the Luhn verification and exfiltrated to the attacker in an XOR-encrypted, base64-obfuscated JSON format.
... continue reading