Recently, attackers associated with credit card skimming attacks known collectively as “Magecart” have begun using image steganography to exfil stolen email data, as originally reported by BleepingComputer. Magecart is a term used to refer to multiple distinct threat groups that target online shopping or ecommerce websites to implant rogue code to steal payment details from checkout pages. Researchers at Sucuri have identified Magecart related campaigns that make use of a PHP file that encodes stolen credit card data as a .jpg file. This .jpg file can then be downloaded by the attackers without raising any alarms, because it blends in to other common external requests to download images. This gives actors a stealthy way of downloading stolen credit card data as website owners might miss the activity when checking for infections.
Magecart Attackers Hide Credit Card Data in Images
Binary Defense recommends that website owners keep all plugins up to date, as a large portion of website compromises occur from vulnerabilities found in out-of-date plugins. Additionally, Binary Defense recommends deploying some form of Web Application Firewall, such as Sucuri’s Firewall. Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s Security Operations Task Force, in order to catch and remedy any unwanted website modifications.