Magecart, an umbrella of malicious hacker groups known for stealing payment card data, is now using a creative way to hide their malicious activity. Recently, a group targeted a Magento 2-based e-commerce site. During this attack, it was hiding skimmed credit card data into a JPEG file on a website they had injected with malicious code.

The creative evil 

Researchers from website security firm Sucuri have discovered this novel tactic when they were investigating a compromised website using the open-source e-commerce platform Magento 2.
  • The tactic of using a fake JPEG file enables an attacker to hide and save their harvested credit card details for future use without raising any alarm.
  • In addition, the code created a JPEG file that was used by attackers to store any data they captured from the compromised site. By this, the attacker can easily access and download the stolen information.

Use of Magento code framework

The recent campaign also used some internal functions of the Magento code framework to harvest the data captured and hidden in the JPEG file.
  • The malicious PHP code utilized the Magento function getPostValue to gather checkout page data within the Customer_ POST parameter.
  • In addition, the Magento function, isLoggedIn, was used to check whether a victim is logged into the website as a user.


Magecart attackers are specialized in skimming attacks and are known for using innovative ways to surprise security researchers. They often hide their skimming techniques in functionality that looks to be authentic, and the use of image files and platform-specific functions adds up to their sophistication. Thus, it is important to remain updated about all recent attack tactics used by adversaries to prevent falling victims to such threats.

Cyware Publisher