According to a new report from security company Sansec, 99 stores using the Magento e-commerce platform have been infected with malicious code. The intrusion likely occurred via the "PolyShell" vulnerability, which enables unauthorized code execution. Once inside the system, the attackers have implemented a method that is difficult to detect for both merchants and consumers.
Fake Checkout Overlaid on the Real One
The malicious code is injected as a 1x1-pixel SVG element (Scalable Vector Graphics) into the e-commerce site's HTML code. When a customer clicks the button to proceed to checkout, the script intercepts the click and instead displays a fake full-screen checkout.
This fake checkout looks legitimate and even validates credit card numbers in real time. As soon as the customer enters their details, the information is encrypted and sent to the attackers' servers, after which the customer is redirected to the store's real checkout. Most consumers never notice that a breach has occurred.
Sansec explains how the attackers manage to stay hidden:
This technique avoids creating external script references that security scanners normally flag. The entire malicious code lives embedded, encoded as a single string attribute.
SVG Files: A Growing Security Problem
The use of SVG files for malicious purposes is not a completely new phenomenon, but it is a method that has increased in popularity among cybercriminals. Unlike common image formats such as JPEG and PNG, which consist only of pixel data, SVG files are XML-based. This means that they are essentially code and can therefore contain embedded JavaScript that interacts with the web page.
The security company Cloudflare warned last year that SVG files are often misclassified as harmless image files by security systems. Because they can handle active scripts, they are increasingly used to create redirects or even build complete, standalone phishing pages directly into the file.
In the same year, the VirusTotal platform reported on a specific campaign where over 500 rigged SVG files were used to imitate government portals. Several of these files were completely invisible to all established antivirus programs at the time of detection. The problem has become so significant that actors such as Microsoft have chosen to stop supporting embedded SVG files in several versions of the Outlook email client.
How to Detect the Intrusion
To investigate whether your store is affected, you or your technical partner should review the website's source code for hidden SVG files and monitor network traffic for unknown outbound connections. If you suspect an intrusion, there are specific traces to look for in both the code and in visitors' web browser data. Detailed technical indicators to look for are available in Sansec's security report for those who want to delve into the details.
However, the most important action remains preventative: ensure that the e-commerce platform is constantly kept up to date and that all security patches are installed to close the gaps that attackers exploit.