What makes the campaign stand out is the way the skimmer is concealed. Rather than loading an external JavaScript file, the attackers embedded the payload in a 1×1 pixel SVG element and triggered it through the image’s onload attribute. The encoded malware then launched a fake full-screen checkout window that looked legitimate enough to coax shoppers into entering card numbers, billing details and other payment data before passing them back to the genuine checkout flow. That method sharply reduces the chance of detection by tools that focus on suspicious external script references.
The malicious overlay was designed to blend into the shopping process. Researchers said it intercepted clicks on checkout buttons before the store’s own handlers could respond, displayed a “Secure Checkout” form with card validation, then silently redirected victims to the real payment page after the theft had already taken place. The stolen data was encoded and sent to a common endpoint masquerading as a Facebook metrics file, while a marker in browser storage helped the attackers avoid harvesting the same shopper twice.
Sansec, the e-commerce security company that disclosed the incident, said the likely entry point was the so-called PolyShell flaw affecting Magento and Adobe Commerce environments. In a separate advisory published on March 17, the firm said the bug allowed unauthenticated attackers to upload files through guest-cart REST API routes and had already been observed at scale. By March 30, Sansec said attackers had compromised 471 stores within a single hour in an automated wave, suggesting that exploitation had moved well beyond selective targeting into industrialised abuse.
That chronology matters because it shows how quickly the threat has evolved. Sansec said automated probing for PolyShell accelerated from March 19, and the SVG skimmer campaign surfaced less than three weeks later. The same research group linked PolyShell to other payloads in March, including a WebRTC-based skimmer and JavaScript loaders dropped into content blocks, indicating that attackers are experimenting with multiple concealment techniques after gaining access.
Magento merchants have also been operating under broader pressure for months. Sansec reported in October 2024 that more than 4,000 Adobe Commerce and Magento stores were compromised in the fallout from the CosmicSting vulnerability, and it estimated that five per cent of all such stores ended up with a payment skimmer on their checkout page during that period. The latest SVG-based attack appears to fit that larger pattern: a familiar criminal business model using ever more evasive code to stay embedded on high-volume retail sites.
Adobe has continued releasing security updates for Adobe Commerce and Magento Open Source. Its March 19, 2026 security bulletin said patched vulnerabilities could otherwise lead to privilege escalation, arbitrary code execution and file-system exposure, though Adobe also said it was not aware of exploits in the wild for the issues covered by that particular update. Adobe’s release schedule shows fresh patched versions, including 2.4.7-p9, 2.4.6-p14, 2.4.5-p16 and 2.4.4-p17, were issued on March 10. That does not by itself resolve every route described by Sansec, but it underlines the gap between supported software and stores left exposed through legacy code, delayed updates or insecure server configurations.
The incident also lands as the payments industry pushes merchants towards tighter browser-side controls. The PCI Security Standards Council said in guidance released in March 2025 that e-skimming attacks had risen as e-commerce pages became more dependent on scripts running in customers’ browsers. Its guidance for PCI DSS requirements 6.4.3 and 11.6.1 calls for merchants to authorise payment-page scripts, verify their integrity and monitor pages for tampering. Those measures speak directly to the kind of inline, disguised code used in the Magento campaign.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
