Multi-Stage Carding Attack Hits Outdated Magento Site

Summary

A compromised Magento 1.9.2.4 eCommerce website was targeted by a multi-stage carding attack involving advanced malware techniques. The attackers:

• Abused a fake GIF image file as a disguise for malicious payloads.

• Leveraged sessionStorage in the browser to exfiltrate data stealthily.

• Employed a malicious reverse-proxy server to manipulate website traffic and intercept.

sensitive user inputs.

The malware harvested credit card information, login credentials, cookies, and more from unsuspecting customers. The issue was discovered after users reported checkout failures and input anomalies.

The root cause was the site’s use of a long-outdated and unsupported Magento 1.x version, which lacks modern security patches and support from Adobe. The difficulty and cost of upgrading to Magento 2 likely contributed to the prolonged use of the vulnerable platform.

Technical Analysis

The suspicious code in the checkout page was discovered embedded between two comments. Initially appearing to be legitimate tracking code, a deeper look revealed an unusual string: bpumediabpumagentothembpuimgbpuline. The embedded reference to “magento” within the string raised suspicion, as it wouldn’t typically be part of standard tracking code.

Figure 1 – Suspicious code in Checkout page (Source - Sucuri)

Further examination revealed the JavaScript used obfuscation techniques, dynamically constructing function names like replace by concatenating strings, with misleading elements such as bing inserted to deflect attention. The resulting code pointed to a path on the server: /media/magentothem/img/line, which appeared to reference a directory. Another script line built a URL ending in line.gif with a timestamp query string: /media/magentothem/img/line.gif?<timestamp>.

Despite its .gif extension, the file was not an image. Instead, it contained a malicious PHP script cleverly disguised to avoid detection.

Figure 2 - Malicious PHP script (Source - Sucuri)

The malware leveraged a reverse-proxy mechanism to intercept and manipulate traffic on the compromised Magento site. The obfuscated backend_url in the malicious script, once reversed and base64-decoded, pointed to an external command-and-control server at hxxp://217[.]12[.]207[.]38/positions/02/. This revealed the malware’s true purpose: acting as an invisible man-in-the-middle between site visitors and the backend server. Unlike typical proxies used by individuals for privacy, reverse proxies are employed at the server level—commonly for load balancing or security—but in this case were maliciously repurposed to capture and tamper with sensitive web traffic.

Figure 3 – Reverse Proxy functionality (Source - Sucuri)

The disguised PHP script, masquerading as a .gif file, intercepted HTTP headers, body content, POST data (including login forms and file uploads), and even raw file contents. These were silently exfiltrated to the attacker’s server. More insidiously, the malware would modify HTTP responses before sending them back to users: rewriting headers, adjusting cookies to match the Magento domain, and stripping redirects that could expose the malicious infrastructure. The attackers took great care to maintain the illusion of legitimacy, ensuring all requests and responses appeared normal to both end users and administrators, effectively laundering all website activity through a fake image file with reverse-proxy functionality. The malicious code was present across all pages, making the entire site’s traffic subject to covert surveillance and data theft.

Figure 4 - Reverse proxy tampering with the requests (Source - Sucuri)

The second malicious component embedded within the Magento checkout template file: onestepcheckout.phtml. This JavaScript injection was smaller in size but operated with precise coordination alongside the earlier fake “Bing” script, creating a multi-stage, user-specific attack. The injected code manipulated the browser’s navigator.userAgent string to strip out non-digit characters and generate a unique identifier.

Figure 5 – Injected code (Source - Sucuri)

This key was then used to query the browser’s sessionStorage, acting as a trigger mechanism. If the expected marker was found—likely planted earlier by the reverse-proxy malware—the payload would execute. By leveraging sessionStorage, the malware ensured that data theft was tightly scoped to the current browser session and would self-erase upon the session’s end, leaving minimal forensic evidence behind.

Notably, this second-stage injection did not contain any hardcoded exfiltration endpoints, further complicating detection. All card-skimming and malicious behavior occurred entirely client-side, initiated only when certain conditions were met, making the operation highly stealthy and targeted. In essence, the fake Bing script acted as the trigger and session initializer, while the checkout template injection acted as the execution stage, harvesting data at the critical moment when payment details were entered, then vanishing without a trace once the session closed.

Recommendations

• Keep all software, plugins, and browsers updated with the latest security patches.

• Avoid using outdated systems like Magento1 and migrate to supported versions such as Magento2.

• Use a web application firewall (WAF) to block malicious traffic and protect against common attack vectors.

• Conduct regular security scans and monitoring to detect malware or unauthorized changes.

• Enforce strong passwords, limit admin access, and enable two-factor authentication where possible.

• Use antivirus software and browser security extensions like script blockers to prevent malicious activity.

• Shop only on websites with HTTPS and a trusted reputation; avoid sites that look outdated or unmaintained.

• Hire cybersecurity professionals if you’re not equipped to handle web security on your own.

Conclusion

This campaign highlights the evolving sophistication of web skimming and carding attacks targeting outdated and vulnerable e-commerce platforms. By combining obfuscated JavaScript, reverse-proxy functionality, and session-based triggers, the attackers executed a stealthy, multi-stage operation capable of intercepting sensitive user data with minimal visibility. Such threats underscore the importance of maintaining up-to-date software, conducting regular security audits, and monitoring for unusual activity both client- and server-side. As long as there are opportunities to exploit neglected systems, tactics like these will continue to persist, making proactive defense essential for both site owners and users alike.