Magecart Group strikes again using the image code injection technique

July 8, 2020
mage cart group image code injection malicious scripts hacking group

Great and proven techniques will always be noticed by someone as successful as Magecart Group. Hiding the code inside image headers or image code injection is a known handy work of Magecart that has been observed as early as 2015. However, they may have been active as early as 2014, based on the creation of domains used as part of the reshipping scheme. Magecart consists of at least six different groups; it has impacted thousands of customers and compromised 6,400+ sites. With the current pandemic, confirmed cases in Europe second to the United States, people are still confined in their houses and perform much of the purchases online. The resent trend paved the way to Magecart Group 9 to surface and do their scheme and with a recently reported supply chain attack link to Magecart Group 9.

The hacking group had set to focus on e-commerce sites, particularly in the UK. They have evolved to targeting 3rd party javascript libraries and using malicious script utilizing the code injection technique to run in the client’s browser in the form of keylogger and form grabber. They are also famous in data exfiltration activities to steal credit card data and evolved their skills in digital skimming and phishing account credentials.


How does their method work?

First, Magecart chooses its target. They then study the exploited application, in this case, WooCommerce plugin for WordPress. As e-commerce is becoming more aware of this type of attack, Magecart learned their target and devised a way to embed their skimmer code into their targets’ website. A POST request then collects form content through a malicious code injected in an image.


Known factors why this latest code injection act is linked to Magecart Group 9

  • Domain used this EXIF metadata has the same Bulgarian host, same registrar, and was registered within a week of, domain server located in Romania, and was part of a VPN provider based in Lithuania named Time4VPS.
  • Obfuscated code is added using the WiseLopp PHP JS obfuscator library.
  • is registered under [email protected], which also has other skimmer domains, and several used via another ingenious evasion technique in the form of WebSockets.
  • Used steganography to hide the skimming code.


Five strategies to stop Magecart attack

  1. Web-servers and infrastructure full patched approach to the latest versions
  2. Webpage Monitoring
  3. Third-party resource integrity checking
  4. Protecting the Client and Server-side
  5. Invest in, e.g., anti-phishing, anti-trojan as part of theft protection and data security together in one plan
About the author

Leave a Reply