Magecart Hackers Now Hide PHP-Based Backdoor in Website Favicons

Magecart Hackers Now Hide PHP-Based Backdoor in Website Favicons

Recently, security researchers have observed criminal activity in the realm of the cyber world by a cybercriminal group named Magecart hackers. The Magecart group distributes malicious PHP web shells to steal financial information from their users. Masqueraded as a favicon, the distribution of web shells takes place to feed JavaScript skimmers into online shopping platforms running Magento 1.x.

Are you looking for cloud security services? We are here to validate your compliance to maintain your compliance.


It is well-known that the Magecart group continuously distributes new malware in its attempt to steal card data from shopping websites. Essentially, cybercriminals leverage web shells to establish remote access by exploiting the vulnerability on eCommerce websites. The Magecart hackers in the currently observed campaign infect online eCommerce stores by injecting JavaScript code through server-side requests dynamically. They use malicious PHP web shells known as Smilodon or Megalodon for this reason. It is counterintuitive since skimmers work by invoking a client-side request to an external JavaScript resource held on an attacker-administered domain.

Dynamically Loaded Skimmer

Although there exist several means to load skimming code, the most usual one is invoking an external JavaScript resource. The browser requests a domain hosting the skimmer when a customer hits an online store. Through an IP data approach, it is comparatively easy to prevent these skimmers. Nevertheless, cybercriminals constantly develop their infrastructure.

The PHP-based Skimmer Distribution Process

Magecart hackers launch the attack through a PHP-based web shell into the vulnerable website. They conduct the activity by supplanting the rightful shortcut icon tags with a path to the fabricated PNG file. Upon further investigation, researchers discovered the m1_2021_force directory. It shows additional code specific to credit card skimming.

A consortium of different cybercriminal groups targeting shopping cart systems called Magecart has adopted injecting web skimmers on eCommerce websites. It is a proven modality to steal credit card details. The skimmers take the shape of JavaScript code that the operators secretly incorporate into payment pages of eCommerce websites. The objective is to withdraw the credit card details of customers and send them to a remote server.

Adoption of a Wide Range of Attack Vectors

Intending to capture payment data, Magecart hackers have adopted a broad spectrum of attack vectors over the last few months. The cybercrime syndicate has amplified in its bid to compromise online stores. It engages in conducting IDN homograph attacks to feed web skimmers masqueraded as a favicon. More so, it conceals card stealer code within image metadata. On top of that, it also uses Telegram and Google Analytics as an exfiltration channel.


Proactive security is the need of an hour when the online world has been under the constant radar from criminal elements. In such a scenario, it is an obligation on the part of online merchants to keep their stores up to the minute. Moreover, they need to maintain the trust buyers placed in them. While as a buyer, you need to exercise due diligence when doing online shopping. Besides, you need to have security tools installed on your devices to have a safer online experience.


The hands of Magecart group behind the PHP-based web shells

Researchers observed a new wave of PHP-based skimmer

Distribution of new PHP-based Web Skimmer

Magecart hackers hide PHP-based skimmer