Card skimming attacks have long been a menace for the e-commerce industry. Recently, another attack strategy has surfaced online where the attackers hide credit card skimmers in image files flooding the websites.
Credit Card Skimmers In Image Files
Reportedly, Malwarebytes has discovered a new type of card skimming attacks. In this method, the attackers hide the credit card skimmers in the metadata of image files. Consequently, these malicious images facilitate the attackers in stealing customers’ data. They have shared the details of their findings in a blog post.
Briefly, in this strategy, the attackers exploit a form of steganography – a process of embedding malicious payloads in images.
Though exploiting images for malicious purposes is nothing new. Yet, what’s different here is the use of image files not only to spread the malware but also to steal data.
The attack caught the researchers’ attention after they noticed a malicious image on a WordPress website using the WooCommerce Plugin.
A closer examination of the image then revealed that the attackers have embedded malicious code in the image’s EXIF metadata. This malicious code imports a favicon file from another domain, which bears the card skimmer code in the Copyright tag of its metadata.
However, it doesn’t send this stolen information to the C&C server as a text. Rather, the malware transmits it as an image file via a POST request.
Connection With Magecart Group 9
Further analysis of the malware lets the researchers establish a link between the new skimming attack and other skimmers. Precisely, they could relate the campaign to Magecart group 9 due to the similarities of host and registrar.
Once again, WordPress site owners and the admins of online stores need to remain very careful about the security of their sites. Make sure to have all the plugins updated, all bugs patched, and use robust website security solutions to stay safe.