Hackers found web skimming Online stores through image metadata
Earlier we saw how Hackers used Website’s Favicon to hide a web skimmer to collect Credit Card details and here Now researchers at Malwarebytes have found that the hackers have targeted another bunch of Online stores and managed to hide their web skimmer in the EXIF metadata of an image from the stores. Web skimming is a form of internet or carding fraud whereby a payment page on a website is compromised when malware is injected onto the page via compromising a third-party script service in order to steal payment information.
A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack. In 2018, British Airways had 380,000 card details stolen in via this class of attack. A similar attack affected Ticketmaster the same year with 40,000 customers affected by maliciously injected code on payment pages.
We first investigated this campaign, we thought it may be another one of those favicon tricks, which we had described in a previous blog. However, it turned out to be different and even more devious. We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.
When the hackers’ web skimmed Google Analytics as we reported that earlier, the treat actor tries to hide their malicious activity using a classic anti-debugging technique.
Malwarebytes further said “The offending code loads a favicon file from cddn[.]site/favicon.ico which turns out to be the same favicon used by the compromised store (a logo of their brand). This is an artifact of skimming code that’s been observed publicly and that we refer to as Google loop.”
The threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the favicon.ico file, The security researchers found a copy of the skimmer toolkit’s source code in an open directory of a compromised site, which provided them with the possibility to understand how the favicon.ico file is crafted with the injected script inside of the Copyright field.
The script would load a favicon file identical to the favicon used by the compromised store (a logo of their brand), and the web skimmer was being loaded from the Copyright metadata field of this image. The skimmer was designed to grab the content of the input fields where online shoppers enter their name, billing address, and credit card details, just as other similar code does.
Malwarebytes has reported a clever hacking campaign undertaken by one such group of hackers who have installed a web skimmer behind the favicon of the website.
For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here