Threat Watch

New Magecart Script Found in Social Media Share Buttons

A new Magecart style attack has been identified by researchers at the Dutch security firm Sanguine Security (SangSec). Magecart is an umbrella term used to describe various e-skimming attacks that have gained popularity throughout the past few years. This most recent attack was found using social media share buttons to hide the skimmer code and evade various detection techniques. This technique of hiding the code in legitimate images is known as steganography and is a testament to how these cybercriminals are constantly evolving their attacks. This technique has been used before, but in this particular case, the script was hidden in an SVG file instead of a JPG or PNG file. SVG files are a type of image that are used for loading vector-based images. Vector images load and draw graphics with the help of mathematical functions and coordinates in a text-based format rather than a binary format. In theory, because of this, it should be easier to defend against malware hidden in these types of files, but the threat actor managed to get around this when they designed the payload. According to SangSec “The malicious payload assumes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element.” Since the skimmer is constructed in a perfectly valid image, security scanners cannot test the syntax of the code to validate it.


SangSec saw threat actors testing this type of attack in June 2020, and saw campaigns using the attack method against eCommerce sites in September. This attack shows the dedication of threat actors to find new ways to evade security practices that would otherwise thwart their attack campaigns. This evolving threat landscape means that is important for everyone to stay up to date on their best practices that can help prevent these types of attacks. Though this code is hard to detect, it does not mean that end-users should stop using security scanners. They should also employ best practices when shopping online such as using virtual credit cards designed specifically for one transaction.

More can be read here: