Cybercriminals making use of online credit card skimmers continue to improve their attack methods, and this time, malicious code has been found buried in image file metadata loaded by e-commerce websites.
According to Jérôme Segura, Malwarebytes Director of Threat Intelligence, the new technique is a way to “hide credit card skimmers in order to evade detection.”
Over the past few years, with the gradual increase of popularity in online shopping — now more so than ever due to the novel coronavirus pandemic — has given rise to cyberattacks dedicated to the covert theft of payment card information used when making online purchases.
Countless e-commerce domains have become victims to Magecart, of which prolific cybercriminal gangs known to specialize in card skimming have been split up and named as separate Magecart groups for tracking purposes.
The cybersecurity firm has explored the new technique, described in a blog post published on Thursday, which is believed to be the handiwork of Magecart Group 9.
Originally, when Malwarebytes stumbled across a suspicious-looking image file, the team thought it may be related to an older technique that uses favicons to hide skimmers, as previously reported by ZDNet. The technique used in documented attacks serves legitimate favicons to the bulk of a website — but saves malicious variants for payment portal pages.
However, it seems Magecart Group 9 has gone further. Card skimmer code was found buried within the EXIF metadata of an image file, which would then be loaded by compromised online stores.
Malwarebytes says the malicious image detected was loaded by a store using a WordPress e-commerce plugin.
The attack is a variation that uses favicons, but with a twist. Malicious code was tracked back to a malicious domain, cddn[.]site, that is loaded via a favicon file. While the code itself did not appear malicious at first glance, a field called “Copyright” in the metadata field loaded the card skimmer using an < img > header tag, specifically via an HTML onerror event, which triggers if an error occurs when loading an external resource.
The Magecart group obfuscated the code within the EXIF data, and unusually, will not simply send stolen data via text to a command-and-control server (C2). Instead, data collected is also sent as image files via POST requests.
“The threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the favicon.ico file,” the researchers say.
TechRepublic: Phishing attacks target workers returning to the office
It is thought that Magecart Group 9 is to blame, due to links made by security researcher @AffableKraut to domains and registrars also hosting scripts using the EXIF technique.
This is not the first time that WordPress e-commerce plugins have been connected to security issues over 2020. Several months ago, a bug was discovered in the Flexible Checkout Fields for WooCommerce plugin which permitted attackers to use XSS payloads to create administrator accounts on vulnerable domains.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0