How Magecart Hackers Hide Credit Card Theft Behind a Single Pixel
Magecart is a term used to describe malicious software that targets online shopping websites and steals payment information from customers. Magecart attacks are usually done by injecting complex and hidden JavaScript code into Magento or WordPress websites, either through the database or through compromised plugins or files. However, sometimes Magecart hackers use more subtle and clever methods to hide their malicious code. In this article, we will look at how Magecart hackers use a single invisible pixel and a simple image tag to conceal their credit card skimming code on the checkout page. We will also show you some examples of other similar Magecart attacks and how to prevent them from affecting your website or your online shopping experience.
The Invisible Pixel Trick
The first step to find Magecart malware on a website is to view the source code of the checkout page, where the customers enter their credit card details. Usually, Magecart malware is easy to spot as it is a long and obfuscated JavaScript code that looks out of place. However, in some cases, Magecart hackers use a more sneaky technique to hide their code. They inject a small image tag into one of the custom fields in the Magento admin panel, such as the “checkout page description” field. The image tag has a width and height of zero, making it invisible to the naked eye. The image tag also has a base64-encoded value, which when decoded, reveals a single white pixel. This pixel is used as a decoy to distract the attention from the real malicious code that follows the image tag.
The real malicious code is a JavaScript function that contains a series of characters that look like gibberish, except for the word “xor” in the middle. This is a clue that the code is using an XOR encryption algorithm to hide its true purpose. XOR encryption is a simple way of encrypting data by using a key to flip the bits of the data. To decrypt the data, the same key is used to flip the bits back. The key in this case is hidden in plain sight as well: it is the base64-encoded value of the image tag. By using this key to decrypt the gibberish characters, we can reveal the actual Magecart code that steals the credit card information from the checkout page and sends it to a remote server controlled by the hackers.
Other Examples of Magecart Attacks Using Images
The invisible pixel trick is not the only way that Magecart hackers use images to hide their malware. Here are some other examples of Magecart attacks using images:
• Using an image URL as a key: In this case, the Magecart hackers use an image URL as the key to encrypt and decrypt their code. The image URL is usually hosted on a legitimate website that has been compromised by the hackers. The image itself can be anything, such as a logo or an icon. The hackers use the image URL as part of their JavaScript code and then use an AJAX request to fetch the image and use its content as the key for XOR encryption.
• Using an image file as a container: In this case, the Magecart hackers use an image file as a container for their malware. The image file can be any format, such as PNG or JPEG. The hackers use a technique called steganography to hide their code inside the image file without affecting its appearance. Steganography is a way of hiding data inside other data by using subtle changes in color or brightness that are not noticeable by humans but can be detected by computers. The hackers then use an HTML5 canvas element to load the image file and extract its hidden data using JavaScript.
• Using an SVG file as an executable: In this case, the Magecart hackers use an SVG file as an executable for their malware. SVG stands for Scalable Vector Graphics, which is a format for creating images using XML code. SVG files can also contain JavaScript code that can be executed by browsers. The hackers create an SVG file that contains their malicious JavaScript code and then inject it into the website using an <img> tag or an <object> tag.
How to Protect Yourself from Magecart Attacks
Magecart attacks are becoming more sophisticated and harder to detect by both website owners and online shoppers. However, there are some steps that you can take to protect yourself from these attacks:
• If you are a website owner, make sure that your website is secure and updated with the latest patches and plugins. SharkGate provides a robust vulnerability scanner… check this for issues and patch the issues reported.
Use strong passwords and two-factor authentication for your admin panel and FTP access. Scan your website regularly for malware and suspicious files or changes. Use a web application firewall such as SharkGate to block malicious requests and prevent unauthorized access.
Conclusion
Magecart is a serious threat to ecommerce websites and online shoppers, as it can steal sensitive payment information and cause financial losses and identity theft. Magecart hackers use various techniques to hide their malware, such as using images as keys, containers, or executables. To protect yourself from these attacks, you need to keep your website and your browser secure and updated, and use tools that can detect and block Magecart malware. If you suspect that your website or your credit card has been compromised by Magecart, you should contact your hosting provider or your bank immediately and seek professional help
