Full Report
Cybersecurity researchers have flagged a credit card stealing malware campaign that has been observed targeting e-commerce sites running Magento by disguising the malicious content within image tags in HTML code in order to stay under the radar. MageCart is the name given to a malware that's capable of stealing sensitive payment information from online shopping sites. The attacks are known to
Analysis Summary
# Tool/Technique: Payment Skimmer via `onerror` Event in Image Tags (MageCart Context)
## Overview
This describes a credit card stealing campaign, associated with MageCart activity, that leverages a specific HTML attribute—the `onerror` event within an `<img>` tag—to execute malicious JavaScript designed to skim payment information from e-commerce checkout pages, particularly affecting Magento sites.
## Technical Details
- Type: Technique / Skimmer Payload Deployment
- Platform: Web Browsers (Client-Side, targeting e-commerce websites)
- Capabilities: Concealing malicious JavaScript via Base64 encoding within an HTML tag attribute, execution via browser error handling, dynamic form injection, and data exfiltration.
- First Seen: The article mentions this is a recent observation flagged by researchers. (Specific date not provided beyond article date: Feb 18, 2025)
## MITRE ATT&CK Mapping
The primary focus is on client-side data injection and collection.
- **TA0001 - Initial Access** (Potentially, if injection is the entry point)
- T1189 - Drive-by Compromise (If users browsing the site are compromised)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Triggers execution via browser action)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0011 - Collection**
- T1560.001 - Archive via Compression (Obfuscation/Encoding used)
- T1114.003 - Data from Local System: Input Capture (Keylogging/Form Grabbing)
## Functionality
### Core Capabilities
- **Concealment:** Hiding malicious JavaScript content by encoding it (likely Base64) within the source attribute of an `<img>` tag. The `<img>` tag itself acts as a decoy, relying on its perceived innocuousness.
- **Trigger Mechanism:** Exploitation of the browser's `onerror` event handler attached to the image tag. This event fires when the image fails to load, triggering the execution of the embedded JavaScript.
- **Targeting:** The malware checks if the user is currently on a checkout page.
### Advanced Features
- **Dynamic Form Injection:** Upon detecting a user interaction (clicking the submit button on the checkout page), the script dynamically inserts a malicious form containing three fields: Card Number, Expiration Date, and CVV.
- **Real-time Siphoning:** The script is designed to siphon the data entered into this injected malicious form directly to an external server.
- **Evasion:** Achieves evasion by hiding complex scripts in a location (image attributes) usually containing simple strings or Base64 data, avoiding scanner detection.
## Indicators of Compromise
- File Hashes: N/A (This is a client-side injection technique, not a persistent file malware)
- File Names: N/A
- Registry Keys: N/A (Client-side browser manipulation)
- Network Indicators: wellfacing[.]com (Defanged C2 destination)
- Behavioral Indicators: Observation of JavaScript executing from an `onerror` handler within client-side HTML image tags on checkout pages; observation of a fake payment form dynamically appearing mid-transaction.
## Associated Threat Actors
- MageCart (General term for groups targeting e-commerce payment processing, particularly Magento sites).
## Detection Methods
- Signature-based detection: Searching for the presence of the specific Base64 payloads or the literal string `onerror=` attached to `<img>` tags in source code or rendered HTML of transactional pages.
- Behavioral detection: Monitoring for JavaScript execution originating from HTML attributes that should not typically execute active code, or monitoring for dynamic form injection on sensitive areas (checkout).
- YARA rules: Potentially YARA rules targeting the unique Base64 payloads or obfuscation patterns.
## Mitigation Strategies
- Prevention measures: Implement Content Security Policy (CSP) that strictly restricts inline scripts and limits script sources to known, trusted domains.
- Hardening recommendations: Regularly update e-commerce platforms (like Magento) to patch known vulnerabilities. Employ robust Web Application Firewalls (WAFs) configured to inspect client-side code injection attempts. Utilize Subresource Integrity (SRI) checks for known third-party scripts.
## Related Tools/Techniques
- Traditional MageCart attacks involving script injection via file upload vulnerabilities.
- Use of other benign HTML elements for code execution (e.g., embedding scripts in `<iframe>` attributes or via CSS injection).
- Payment skimming via legitimate-looking 404 error pages (previously documented MageCart tactic).