Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection.
These stolen credit cards are then sent back to a server under the control of the threat actors where they are collected and used for fraudulent purchases or to sell on dark web criminal markets.
Continually evolving to better steal your credit cards
In a new report by Malwarebytes, an online store using the WordPress WooCommerce plugin was found to be infected with a Magecart script to steal customer’s credit cards.
What made this attack stand out was that the scripts used to capture data from payment forms were not added directly to the site but were contained in the EXIF data for a remote site’s favicon image.
When images are created, the developer can embed information such as the artist who created it, information about the camera, copyright info, and even the location of the picture.
This information is called the Exchangeable Image File Format (EXIF) data.
In this attack, the threat actors hacked a website and added what appears to be a simple script that inserts a remote favicon image and does some processing.
Once the favicon image was loaded into the page, the scripts added to the site by the hackers would load the image’s embedded malicious skimmer scripts.
Once these scripts were loaded, any credit card information submitted on checkout pages was sent back to the attackers where they could be collected at their leisure.
As these malicious card stealing scripts are not contained on the hacked site itself, it is more difficult for security software or even web developers to notice that something may be wrong.
Malwarebytes was able to find the kit that was used to create and perform this magecart attack. After further analysis, it was determined that this attack might be linked to a threat actor group known as ‘Magecart 9’.