Magecart (Group 9): Hiding card skimming code within a website is not a new tactic used by threat actors. Normally, this malware is inserted into a compromised website by modifying existing JavaScript code or loading a remote script directly, but in a new attack discovered by researchers at Malwarebytes, the malicious JavaScript code is hidden inside the EXIF (Exchangeable Image File Format) data of a favicon image to evade detection. The attack was seen on a website based on WordPress and using the WooCommerce plugin. Hiding code inside image headers, as was done in this attack, is not a new tactic, but is the first time Malwarebytes witnessed the abuse being used for a credit card skimmer. In this case, the threat actor managed to compromise the website and add a simple script that inserts the remote favicon image from cddn[.]site/favicon.ico—a minor change that would not be likely to seem suspicious to anyone reviewing the changes to the code on the compromised site. Once the image is loaded onto the website, any credit card data entered into the page is recorded and sent to the threat actor.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security