E-commerce security firm Sansec recently reported a large-scale payment data theft campaign targeting nearly 100 online stores running on the Magento platform. Attackers are embedding malicious code within 1x1-pixel Scalable Vector Graphics (SVG) files, a stealthy technique designed to evade standard security scans.
Researchers believe the campaign likely exploits the "PolyShell" vulnerability disclosed in mid-March. This flaw affects all versions of Magento Open Source and Adobe Commerce, allowing unauthenticated attackers to execute remote code and hijack site accounts. According to Sansec, more than half of the vulnerable stores have already been targeted by PolyShell attacks.
A Stealthy Payload
In these attacks, the malware is injected into the site's HTML as an SVG element. Sansec explains: "The onload handler contains the full skimmer payload, hidden via Base64 encoding within an atob() call and executed using a setTimeout function."
This method avoids the need for external script references, which most security scanners typically prioritize when checking for threats. The malicious code exists as an inline string directly on the page. When a user clicks the "checkout" button, the script intercepts the action and triggers a fake "secure checkout" overlay. This interface tricks users into entering their credit card and billing details, which are then validated in real-time via the Luhn algorithm before being exfiltrated to the attackers in a JSON format obscured by XOR encryption and Base64 encoding.
Sansec has identified six domains used for data exfiltration, all hosted by the Dutch provider IncogNet LLC, with each domain linked to an average of 10 to 15 victims. Investigations confirm that the stolen data includes full payment credentials.
To date, Adobe has not released an official security patch for the PolyShell vulnerability in production environments, offering fixes only in pre-release versions 2.4.9-alpha3 and later. Adobe did not respond to requests for comment.
Security experts advise site administrators to immediately scan their code for SVG tags containing an onload attribute and to remove any segments featuring the atob() function. Additionally, checking browser local storage for the "_mgx_cv" key is an effective way to determine if payment data has been compromised. Administrators should also monitor for and block suspicious requests directed at /fb_metrics.php and implement traffic blocks for the Dutch IP address 23.137.249.67.