This threat describes a sophisticated multi-stage card skimming attack targeting Magento eCommerce websites, specifically exploiting an outdated Magento 1.9.2.4 installation. The attackers leverage a combination of advanced techniques to stealthily intercept and exfiltrate sensitive customer data, including credit card details, login credentials, cookies, and other session information. The attack begins with the injection of malicious JavaScript code disguised as legitimate Bing tracking code embedded into the compromised Magento site. This code interacts with the local browser's sessionStorage to harvest session-specific data, enabling the attackers to tailor the attack to individual users. A fake GIF image file is used as a decoy or delivery mechanism, likely to evade detection by security tools and administrators. The core of the attack involves a malicious reverse-proxy server that intercepts and manipulates all website traffic between the user and the legitimate Magento server. This reverse proxy setup allows attackers to transparently capture sensitive data during the checkout process without alerting users or site administrators. The use of a tampered payment file further personalizes the attack, ensuring the malicious payload is delivered only to targeted users, thereby reducing the risk of detection. The attack exploits the lack of security updates and support for Magento 1.9.2.4, which contains known vulnerabilities facilitating code injection and unauthorized access. Indicators of compromise include suspicious URLs such as http://217.12.207.38/positions/02/, associated with the malicious reverse proxy infrastructure. Although no known exploits are currently reported in the wild, the complexity and stealth of this campaign indicate a high level of attacker sophistication and persistence. Overall, this attack represents a novel combination of reverse-proxy interception, sessionStorage exploitation, and obfuscated JavaScript injection to conduct card skimming on eCommerce platforms.

For European organizations, particularly those operating Magento-based eCommerce platforms, this threat poses significant risks to customer data confidentiality and business reputation. The theft of credit card information and login credentials can lead to financial fraud, identity theft, and regulatory penalties under GDPR for failing to protect personal data. The stealthy nature of the reverse-proxy attack means traditional monitoring and intrusion detection systems may not easily detect the compromise, allowing attackers to operate undetected for extended periods. This can result in prolonged data exposure and increased financial losses. Additionally, compromised websites may suffer from loss of customer trust and brand damage, which can have long-term commercial consequences. Given the widespread use of Magento in European retail and the presence of many organizations running legacy versions due to complex customizations or resource constraints, the attack could affect a substantial portion of the market. Furthermore, the attack's ability to manipulate session data and cookies raises concerns about broader account takeover risks and potential lateral movement within affected networks. While the medium severity rating suggests the attack is sophisticated, its impact can be mitigated with timely detection and response. However, failure to address this threat promptly could lead to significant operational disruptions and compliance violations.

To effectively mitigate this threat, European organizations should prioritize upgrading Magento installations to the latest supported versions, as Magento 1.9.2.4 is no longer supported and contains exploitable vulnerabilities. Immediate patching or migration to Magento 2.x is strongly recommended. Implement strict Content Security Policy (CSP) headers to prevent unauthorized JavaScript injection by restricting executable script sources. Conduct thorough code audits and integrity checks to detect and remove injected malicious scripts, especially those masquerading as legitimate tracking codes. Monitor network traffic for unusual patterns, particularly connections to suspicious IP addresses like 217.12.207.38, to aid early detection of reverse-proxy activity. Deploy advanced web application firewalls (WAFs) with behavioral analysis capabilities to identify and block anomalous requests associated with sessionStorage exploitation and card skimming attempts. Enhance logging and monitoring of sessionStorage access and payment processing workflows to provide indicators of compromise. Educate development and security teams about risks of using outdated eCommerce platforms and the importance of secure coding practices. Finally, implement multi-factor authentication (MFA) for administrative access and customer accounts to reduce the risk of credential misuse resulting from data theft.