Cybersecurity

The Wolf Hid A Skimmer In A Dot. A Literal Dot. I Quit.

NeglectedSheep

2 min read
The Wolf Hid A Skimmer In A Dot. A Literal Dot. I Quit.

I need everyone to understand something before I continue. It is 3am. My coffee is cold. I have 47 unresolved tickets. And I just learned that nearly 100 Magento storefronts got their payment data hoovered out by a piece of parasitic code hidden inside an SVG file the size of a single pixel.

One. Pixel.

The coyotes embedded a full credit card skimmer inside a 1x1 SVG image tag. Invisible to the naked eye, invisible to a lot of scanners, just sitting there on checkout pages quietly drinking up card numbers like it owned the place. Which, functionally, it did.

For the non-technical lambs in the back: SVG files are image formats that contain actual code inside them. XML-based, flexible, and apparently a cozy little den for ticks if nobody's watching. The attackers injected the malicious SVG directly into compromised Magento stores, where it cheerfully skimmed payment details from every unsuspecting shopper who wandered through.

The flock never knew. The Shepherds definitely didn't know. The checkout page looked completely normal because there was nothing to see. That's the whole point.

The really fun part, and by "fun" I mean the part that made me stare at my ceiling at 2am, is that this isn't some exotic hole in the fence. These stores were running outdated, unsheared versions of Magento. The entry points were known vulnerabilities. Patched ones. Patches that existed. That were available. That nobody applied.

I am so tired.

Nearly 100 stores. Confirmed. Probably more that haven't noticed yet because nobody checks anything until a journalist calls.

Remediation (Yes, Fine, Here You Go)

For store operators who are just now reading this with a sinking feeling:

  • Audit every asset loaded on your checkout pages. Every script, every image, every tag you didn't personally put there.
  • Check your Magento version right now. If it's end-of-life, that's your entire problem in one sentence.
  • Apply all available shearing immediately. Outstanding patches are just future breach notifications waiting to happen.
  • Implement a Content Security Policy. Make your storefront tell browsers what's allowed to run. Uninvited SVG parasites do not make the guest list.
  • Consider a file integrity monitor. If something on your checkout page changes and you didn't change it, you want to know about that before BleepingComputer does.

The technology to catch this exists. The patches to prevent this existed. We just collectively decided not to use them.

Anyway. Back to the ticket queue. Somebody named Karen wants to know why her password expired.

Sleep is a myth I used to believe in.

Original Report: https://www.bleepingcomputer.com/news/security/hackers-use-pixel-large-svg-trick-to-hide-credit-card-stealer/