Security researchers have uncovered a stealthy web‑skimming campaign in which cybercriminals are hiding credit card‑stealing code inside a 1×1 pixel‑sized SVG image on Magento‑based e‑commerce sites. The attack already affects nearly 100 online stores, turning otherwise legitimate checkout pages into traps that silently capture payment details before orders are processed.
Modus operandi
The malware is injected as a single line of HTML code embedding a tiny Scalable Vector Graphics (SVG) image that measures only one pixel in height and width. This SVG element contains an onload JavaScript handler that, when triggered on page load, executes a base64‑encoded skimmer payload via atob() and setTimeout(), keeping the entire malicious logic inline and avoiding external script references. Because the payload lives inside what looks like an ordinary image tag, many security scanners and human reviewers overlook it.
When a shopper clicks the checkout button on a compromised store, the malicious script intercepts the action and displays a fake “Secure Checkout” overlay. This overlay mimics the real payment form, often copying the site’s CSS so it appears visually identical, and prompts the user to re‑enter card details and billing information. Every keystroke is captured in real time, validated with the Luhn algorithm, and then exfiltrated to an attacker‑controlled server in an XOR‑encrypted, base64‑encoded JSON format.
The attackers exploit the fact that browsers treat SVGs as safe, trusted images, and that 1×1‑pixel trackers are common for analytics and ads. This camouflage makes the malicious code nearly invisible to both users and many automated scanners that focus on external JavaScript files rather than inline attributes inside images. The Magecart‑style approach also allows criminals to harvest payment data at scale while leaving little trace on the visible page, complicating incident detection and remediation.
Protection for shoppers and merchants
Online shoppers should watch for unexpected overlays or extra “validation” prompts during checkout and avoid entering card details on pages that load unusually slowly or show suspicious certificate warnings. Merchants, especially those using Magento, should enable strict content security policies (CSP), monitor for unauthorized SVG or image‑tag changes, and use dedicated payment‑card security tools to detect and block skimmers. Regular code audits and third‑party script reviews can help spot this kind of hidden payload before it begins harvesting live transactions.
