Credit card skimmers are now being buried in image file metadata on e-commerce websites


Cybercriminals making use of online credit card skimmers continue to improve their attack methods, and this time, malicious code has been found buried in image file metadata loaded by e-commerce websites. 

According to Jérôme Segura, Malwarebytes Director of Threat Intelligence, the new technique is a way to “hide credit card skimmers in order to evade detection.”

Over the past few years, with the gradual increase of popularity in online shopping — now more so than ever due to the novel coronavirus pandemic — has given rise to cyberattacks dedicated to the covert theft of payment card information used when making online purchases. 

After well-known brands were hit in quick succession, including Ticketmaster and British Airways, the term ‘Magecart’ was coined for these types of attacks, in which malicious JavaScript is injected into the payment portal pages of vulnerable websites in order to harvest customer details for as long as possible without detection. 

Countless e-commerce domains have become victims to Magecart, of which prolific cybercriminal gangs known to specialize in card skimming have been split up and named as separate Magecart groups for tracking purposes. 

See also: Skimming code battle on NutriBullet website may have risked customer credit card data

The cybersecurity firm has explored the new technique, described in a blog post published on Thursday, which is believed to be the handiwork of Magecart Group 9.

Originally, when Malwarebytes stumbled across a suspicious-looking image file, the team thought it may be related to an older technique that uses favicons to hide skimmers, as previously reported by ZDNet. The technique used in documented attacks serves legitimate favicons to the bulk of a website — but saves malicious variants for payment portal pages.

However, it seems Magecart Group 9 has gone further. Card skimmer code was found buried within the EXIF metadata of an image file, which would then be loaded by compromised online stores. 

Malwarebytes says the malicious image detected was loaded by a store using a WordPress e-commerce plugin. 

The attack is a variation that uses favicons, but with a twist. Malicious code was tracked back to a malicious domain, cddn[.]site, that is loaded via a favicon file. While the code itself did not appear malicious at first glance, a field called “Copyright” in the metadata field loaded the card skimmer using an < img > header tag, specifically via an HTML onerror event, which triggers if an error occurs when loading an external resource.

CNET: Twitter challenges millions of accounts every week to determine if they’re bots or not

When loaded onto a compromised website, the JavaScript grabs input from fields used to submit payment information, including names, billing addresses, and card details. 

The Magecart group obfuscated the code within the EXIF data, and unusually, will not simply send stolen data via text to a command-and-control server (C2). Instead, data collected is also sent as image files via POST requests. 

“The threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the favicon.ico file,” the researchers say. 

TechRepublic: Phishing attacks target workers returning to the office

It is thought that Magecart Group 9 is to blame, due to links made by security researcher @AffableKraut to domains and registrars also hosting scripts using the EXIF technique. 

This is not the first time that WordPress e-commerce plugins have been connected to security issues over 2020. Several months ago, a bug was discovered in the Flexible Checkout Fields for WooCommerce plugin which permitted attackers to use XSS payloads to create administrator accounts on vulnerable domains.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0






Source link

Recent articles

‘Comedy Bang! Bang!’ Set to Leave Netflix (again) in August 2020

Comedy Bang! Bang! set to leave Netflix (again) – Picture: IFCComedy Bang! Bang! is currently set to leave Netflix for the second time...

What Hong Kong’s Pandemic Experience Taught Uber About Other Cities

OAKLAND, Calif. — In late February, Uber executives were set to gather in San Francisco to form business plans for the year as...

Carbon monoxide poisoning clue emerges in fatal DHC-2 crash probe | News

Australian investigators have urged operators of piston-engined aircraft to carry out inspection and repair of exhaust systems, after finding that the pilot of...

Twitter is removing ‘master,’ ‘slave’ and ‘blacklist’ from its code

Twitter is dropping the terms "master," "slave" and "blacklist" from its code after two engineers lobbied for the use of more inclusive programming...

Botswana reports mysterious deaths of hundreds of elephants | News

Hundreds of elephants have died mysteriously in Botswana's famed Okavango Delta, according to an official who ruled out poaching as the tusks were...

Xbox Insider Release Notes – Beta, Delta and Omega (2007.200630-0000)

Hey Xbox Insiders! We have a new Xbox One update preview coming to the Beta, Delta and Omega ring. It’s important...

Leave a reply

Please enter your comment!
Please enter your name here