Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Magecart Group Hides Skimming Malware in EXIF Data

Magecart (Group 9): Hiding card skimming code within a website is not a new tactic used by threat actors. Normally, this malware is inserted into a compromised website by modifying existing JavaScript code or loading a remote script directly, but in a new attack discovered by researchers at Malwarebytes, the malicious JavaScript code is hidden inside the EXIF (Exchangeable Image File Format) data of a favicon image to evade detection. The attack was seen on a website based on WordPress and using the WooCommerce plugin. Hiding code inside image headers, as was done in this attack, is not a new tactic, but is the first time Malwarebytes witnessed the abuse being used for a credit card skimmer. In this case, the threat actor managed to compromise the website and add a simple script that inserts the remote favicon image from cddn[.]site/favicon.ico—a minor change that would not be likely to seem suspicious to anyone reviewing the changes to the code on the compromised site. Once the image is loaded onto the website, any credit card data entered into the page is recorded and sent to the threat actor.

Analyst Notes

Researchers managed to link this attack to Magecart Group 9 based on a technique they have witnessed from the group in the past, including the use of web sockets to evade detection. Online shopping, especially during the COVID-19 pandemic, has increased. Attackers have been able to profit from the boom in online sales by injecting skimmers into websites to steal payment card data. When shopping online, it is a good practice to use a credit card as opposed to a debit card or checking account. By doing this, if the card is compromised and the attacker does sell or use the card for purchases, the money that is taken is not the victim’s, but the credit card issuer. Shoppers can also pay with one-time use “virtual credit cards” that have short expiration periods and specific limits set, so that if the card gets compromised, the attacker cannot use it to make any other purchases.

More can be read here: