A new Magecart style attack has been identified by researchers at the Dutch security firm Sanguine Security (SangSec). Magecart is an umbrella term used to describe various e-skimming attacks that have gained popularity throughout the past few years. This most recent attack was found using social media share buttons to hide the skimmer code and evade various detection techniques. This technique of hiding the code in legitimate images is known as steganography and is a testament to how these cybercriminals are constantly evolving their attacks. This technique has been used before, but in this particular case, the script was hidden in an SVG file instead of a JPG or PNG file. SVG files are a type of image that are used for loading vector-based images. Vector images load and draw graphics with the help of mathematical functions and coordinates in a text-based format rather than a binary format. In theory, because of this, it should be easier to defend against malware hidden in these types of files, but the threat actor managed to get around this when they designed the payload. According to SangSec “The malicious payload assumes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element.” Since the skimmer is constructed in a perfectly valid image, security scanners cannot test the syntax of the code to validate it.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that