While investigating a Magecart attack, experts found an e-skimmer code hidden in the EXIF metadata of an image file and surreptitiously loaded by compromised online stores.
The malicious script detected by the researchers was loaded from an e-store running the WooCommerce plugin for WordPress.
The scripts allow threat actors to steal credit card data and other sensitive information that users enter on compromised e-commerce websites, then to send the collected info to the attackers.
The attack stands out because attackers use images to exfiltrate stolen credit card data.
Experts noticed that the script would load a favicon file that is identical to the one used by the compromised website. The attackers loaded the e-skimmer from the ‘Copyright’ field in the metadata of this image.
The e-skimmer is able to capture the content of the input fields provided by the users while purchasing goods. including name, billing address, and credit card details. The data grabbed by the skimmer are encoded using Base64 and then reverses that string before sending the information to an external server as an image file, via a POST request.
While investigating the incident, the researchers discovered a copy of the skimmer toolkit’s source code in an open directory of a compromised site. The toolkit allows the attackers to craft a favicon.ico file with the e-skimmer code injected in the Copyright field.
(SecurityAffairs – hacking, Magecart)