Analysis of Multi-Stage Carding Attack Targeting Outdated Magento Sites

A sophisticated multi-stage carding attack has been identified targeting Magento eCommerce sites running outdated versions, particularly Magento 1.9.2.4, which has been unsupported since June 2020¹. The attack leverages a combination of fake GIF files, reverse-proxy malware, and client-side session tampering to steal credit card data during checkout. This article breaks down the attack flow, technical details, and mitigation strategies.

Attack Overview

The attackers exploited unpatched vulnerabilities in Magento 1.9.2.4, injecting malicious JavaScript disguised as a `.gif` file (`/media/magentothem/img/line.gif`)². The payload included a PHP reverse-proxy loader that intercepted and tampered with requests, masking the attacker’s IP (`217.12.207.38`). The malware also abused `sessionStorage` to validate user-specific keys, ensuring the payload only executed during checkout³.

Technical Breakdown

The attack followed a multi-stage process. First, JavaScript was injected between Bing UET tags on checkout pages, referencing the fake `.gif` file. The reverse-proxy server then captured credit card details, login credentials, and session tokens while rewriting responses to appear legitimate¹. Secondary injections in `onestepcheckout.phtml` used obfuscated JavaScript to dynamically construct paths and exfiltrate data via concatenated strings (e.g., `rep` + `lace` ignoring `bing`)².

Mitigation Strategies

For administrators, upgrading to supported Magento 2.x versions and applying security patches is critical⁴. Deploying a web application firewall (WAF) to block malicious IPs and monitoring logs for repeated `/guest-carts//payment-information` POST requests can help detect carding attempts³. Shoppers should use tools like Sucuri SiteCheck to verify site security and enable script blockers.

Relevance to Security Professionals

This attack highlights the risks of running outdated software and the need for robust input validation and session management. The use of reverse-proxy malware to mask exfiltration is a notable evasion technique, requiring advanced detection methods such as behavioral analysis and endpoint monitoring.

Conclusion

The multi-stage carding attack underscores the importance of timely patching and layered security measures. Organizations using Magento should prioritize migration to supported versions and implement proactive monitoring to mitigate similar threats.