A multi-stage carding attack targeted a Magento eCommerce site running outdated version 1.9.2.4, unsupported since June 2020. Unpatched flaws allowed malware to use a fake .gif file, tamper with browser sessionStorage, and deploy a reverse proxy to steal credit card data, credentials, cookies, and more.
The attack disrupted the checkout process, showing the serious risks of ignoring software updates, especially on complex platforms like Magento where upgrades are costly and time-consuming.
Attack Details: Fake GIFs and Reverse Proxy Tricks
The attack started with suspicious JavaScript hidden between real Bing tracking tags on the checkout page.
The code secretly built a path to a Magento folder by joining hidden words (like combining “rep” and “lace” while ignoring distractions like “bing”).
This path pointed to a fake file, “/media/magentothem/img/line.gif,” which was actually a malicious PHP script instead of a real image.
The hidden “backend_url” led to a remote server (217.12.207.38) running a reverse proxy.
Unlike a normal proxy or VPN, this reverse proxy captured all traffic — headers, POST data, cookies, and session tokens — while making responses look normal to users and admins.
It hid its tracks by changing Location headers and cookies, keeping the real server secret.
There was also a second attack in the checkout page (onestepcheckout.phtml), which used a special key based on the user’s browser to trigger hidden code through sessionStorage.
This allowed card data theft during checkout without leaving any lasting signs.
Recommendation:
Urgently update or migrate outdated platforms like Magento 1.x to supported versions (e.g., Magento 2.x) to avoid exposure to known vulnerabilities.
Implement strict file integrity monitoring to detect unauthorized changes in core files and templates (like onestepcheckout.phtml).
Use a Web Application Firewall (WAF) to block suspicious traffic, including reverse proxy attempts and injection attacks.
Regularly audit third-party scripts and trackers embedded on critical pages like checkout, ensuring no hidden malicious code is present.
Enable Content Security Policy (CSP) headers to restrict where scripts can load from and reduce the risk of client-side attacks.
Monitor network traffic for unexpected external connections, particularly to unknown IP addresses, to catch active exfiltration attempts early.
Perform regular penetration tests focusing on checkout flows, session handling, and third-party integrations.
Leave A Comment