Hackers Hijack Onerror Events in Image Tags to Steal Credit Card Information

Understanding the Threat: Onerror Exploitation in Payment Skimming

Cybercriminals are evolving their tactics to evade detection and compromise online transactions. A recent campaign has been identified where attackers embed malicious JavaScript inside <img> tags, utilizing the onerror event to deploy payment skimmers on e-commerce websites.

How the Attack Works

MageCart attackers, notorious for credit card skimming, now use onerror-triggered scripts in image tags to stay undetected. When an image fails to load, instead of simply displaying a broken image icon, the onerror event executes hidden JavaScript code, capturing sensitive payment details during checkout.

Key Steps of the Attack:

1. Injection of Malicious Code – Attackers insert <img> tags containing Base64-encoded JavaScript within the HTML code of e-commerce websites.
2. Activation on Checkout Pages – The script remains dormant until users reach the checkout page, ensuring it activates at the most crucial moment.
3. Stealing Payment Data – The script injects a hidden form to collect Card Number, Expiration Date, and CVV.
4. Exfiltration of Data – Stolen details are sent to a remote server controlled by cybercriminals.

Why This Attack Is Dangerous

• Difficult to Detect – Image tags are commonly trusted elements in HTML, making security scans less likely to flag the attack.
• No Visible Changes – The skimmer operates silently, ensuring users do not notice unauthorized data collection.
• Targets Popular Platforms – Magento, WooCommerce, and PrestaShop are among the major platforms affected by these tactics.

Defensive Measures for E-Commerce Businesses

1. Implement Content Security Policies (CSP)

• Restrict script execution from untrusted sources.
• Define allowed image sources to prevent malicious image tags.

2. Conduct Regular Security Audits

• Scan for unusual <img> tags containing Base64 or JavaScript references.
• Use intrusion detection systems (IDS) to monitor changes in checkout pages.

3. Enable Web Application Firewalls (WAF)

• Block unauthorized scripts and prevent exploitation of onerror events.
• Use behaviour-based detection to identify skimmer activity.

4. Secure Payment Gateways

• Enforce tokenization and encryption for transactions.
• Implement multi-factor authentication (MFA) for administrative access.

Indian Cyber Security Solutions (ICSS) and Our Commitment to Security

At Indian Cyber Security Solutions (ICSS), we provide comprehensive cybersecurity solutions to protect businesses from emerging threats. Our expertise helps organizations secure sensitive data, prevent unauthorized access, and strengthen digital defences against evolving cyber risks. By adopting proactive security measures, we ensure businesses remain resilient against sophisticated attacks.

Learn more about how we can secure your business at Indian Cyber Security Solutions