“We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot,” wrote Jerome Segura, Malwarebytes Director of Threat Intelligence, in a blog post.
The common attack in question here is Magecart, wherein hackers inject malicious code into online shopping websites to steal customers’ credit card information as they enter credentials on the checkout page. These details are then sent back to a server under the control of hackers where they are collected and used for fraudulent purchases or to sell on the dark web.
Well-known companies such as Claire’s, Tupperware, Smith & Wesson, Macy’s, and British Airways have been victims of Magecart attack.
The concept of hiding malicious code within image files is an old technique, but this is the first time that it’s been caught hiding behind a site’s favicon, which is a file containing one or more small icons, associated with a particular website or web page.
The Malwarebytes team detected the malicious code from an online store running the WooCommerce plugin for WordPress. WooCommerce is increasingly being targeted by cybercriminals, as it has a large market share.
“The attack is a variation that uses favicons, but with a twist. Malicious code was tracked back to a malicious domain, cddn[.]site, that is loaded via a favicon file. While the code itself did not appear malicious at first glance, a field called “Copyright” in the metadata field loaded the card skimmer using an < img > header tag, specifically via an HTML onerror event, which triggers if an error occurs when loading an external resource,” as explained by ZDNet.
Upon loading this malicious code by the e-commerce site, it will steal payment card information inputted by the customer on the checkout page, such as card number, expiration date and CVV, along with the card owner’s name and address.
Since these malicious card stealing scripts can be hidden anywhere, it makes it much more dangerous as even security software or web developers cannot that something may be wrong.
The Malwarebytes team has linked the magecart attack to a threat actor group known as ‘Magecart 9’, which has previously made the use of web sockets to evade detection.