Hackers hide web skimmer behind a website's favicon

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Hackers created a fake image-hosting portal to hide a web skimming operation.

In one of the most complex and innovative hacking campaigns detected to date, a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.
Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they're entered in checkout forms.

Web skimming attacks have been going on for almost four years, and as security firms are getting better at detecting them, attackers are also getting craftier.
... ...
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection.

A common attack used to steal credit cards is to hack the website and inject malicious JavaScript scripts that steal submitted payment information when a customer makes a purchase.

These stolen credit cards are then sent back to a server under the control of the threat actors where they are collected and used for fraudulent purchases or to sell on dark web criminal markets.

These types of attacks are called Magecart and have been used on websites for well-known companies such as Claire's, Tupperware, Smith & Wesson, Macy's, and British Airways.


 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
"They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection.
When we first investigated this campaign, we thought it may be another one of those favicon tricks, which we had described in a previous blog. However, it turned out to be different and even more devious.
We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.
During this research, we came across the source code for this skimmer which confirmed what we were seeing via client-side JavaScript. We also identified connections to other scripts based on various data points."


 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top