In a deep-dive analysis released by Ben Martin, a security analyst at Sucuri, researchers revealed a remarkably sophisticated multi-stage carding attack targeting a vulnerable Magento eCommerce website. This advanced operation leveraged a fake GIF file, browser sessionStorage abuse, and a malicious reverse proxy server to seamlessly intercept and steal sensitive data — including credit card information, login credentials, cookies, and session tokens.
“This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website,” Martin explained.
The targeted website was running Magento 1.9.2.4, a platform officially unsupported since June 2020. As Martin emphasized: “It’s worth mentioning that the website in question was using a very out-of-date Magento installation.” This outdated and unpatched software became the perfect gateway for attackers to exploit.
Investigators initially noticed suspicious JavaScript injected into the checkout page, disguised to resemble Bing ad tracking code. However, deeper inspection revealed unusual behavior: references to Magento hidden within the code and dynamic manipulation of strings to construct malicious file paths.
The manipulated JavaScript pointed to what appeared to be a legitimate GIF file: “In the final analysis we get the following: /media/magentothem/img/line.gif?<timestamp>.“ Yet this “GIF” was no image at all — it housed a malicious PHP script designed to act as a reverse proxy.
Reverse proxies are typically legitimate tools used for load balancing and network optimization. However, in this attack, the malware repurposed this technology for nefarious purposes: “The malware captures incoming requests (headers, body, IP address, etc) as well as intercepts POST data (login info, forms, file uploads).”
It laundered all user communications through an attacker-controlled server, manipulating cookies, stripping redirects, and ensuring that victims and administrators remained completely unaware.
But the attack didn’t end there. A second malware injection was discovered within the checkout page template onestepcheckout.phtml. This code cleverly exploited browser sessionStorage to create a session-specific trigger: “In this way most of the actual card-stealing and malicious behaviour is done client-side, making it more difficult to detect.”
This method ensured that the malicious behavior was transient — erased once the browser tab was closed — leaving virtually no forensic traces on the victim’s device. In essence, the fake Bing JS planted the trigger, and the checkout page code detonated it.
Martin concluded that this was no ordinary MageCart-style attack. The infrastructure, careful layering, and use of reverse proxy technology showed significant planning and expertise:
“It is very clear that MageCart malware isn’t going anywhere any time soon,” Martin warned. “eCommerce website admins and shoppers alike need to continue to be diligent in order to protect their data and customers online.”