Payment Skimmers in Disguise: Cybercriminals Use Image Tags to Steal Credit Card Data

Cybercriminals Exploit Onerror Event in Image Tags to Deploy Payment Skimmers

Cybercriminals are constantly evolving their tactics to steal sensitive user information, and a new method leveraging the onerror event in HTML image tags has emerged as a stealthy way to deploy payment skimmers. This technique allows attackers to steal credit card data from unsuspecting users by injecting malicious scripts into compromised websites.

How the Attack Works

1. Injection of Malicious Image Tags – Hackers insert <img> tags with a broken image source into payment checkout pages.
2. Onerror Event Execution – When the browser fails to load the image, the onerror event triggers, executing a malicious JavaScript payload.
3. Data Exfiltration – The script captures credit card details entered by the user and sends them to a remote server controlled by the attacker.

Why is this Dangerous?

• Difficult to Detect – Unlike traditional JavaScript-based skimmers, this technique bypasses some security filters as it appears to be a legitimate image element.
• No External Script References – The payload can be embedded directly within the HTML, reducing reliance on external malicious domains.
• Affects Any Website with User Input Fields – Any platform handling payment transactions, especially e-commerce websites, is vulnerable.
  

Prevention Measures

• Content Security Policy (CSP) – Restrict script execution to trusted domains.
• Input Validation & Sanitization – Prevent unauthorized HTML injection.
• Regular Security Audits – Scan for suspicious <img> tags and JavaScript events.

Conclusion

The exploitation of the onerror event in image tags showcases how cybercriminals innovate to evade detection. Website administrators must stay vigilant, implement security best practices, and regularly monitor for such threats to safeguard users’ financial data.