Cyber-criminals have created a new type of web malware that hides inside images used for social media sharing buttons in order to steal credit card information entered in payment forms on online stores.
The malware, known as a web skimmer, or Magecart script, was spotted on online stores in June and September this year by Dutch security firm Sanguine Security (SanSec).
While this particular form isn't widely deployed, its discovery suggests that Magecart gangs are constantly evolving their bag of tricks.
Steganography and malware attacks
At the technical level, this particular script uses a technique known as steganography. Steganography refers to hiding information inside another format (i.e., text inside images, images inside videos, etc.).
In the world of malware attacks, steganography is typically employed as a way to sneak malicious code past security scanners by placing the bad code inside seemingly innocent files.
Over the past years, the most common form of steganography attacks has been to hide malicious payloads inside image files, usually stored in PNG or JPG formats.
Malware gangs would add the malicious code inside the image, the image would be downloaded on a host system, extracted by another of the malware gang's components, and then executed.
However, the technique has slowly been seeing some adoption among web skimmer gangs, with past steganographic attacks using site logos, product images, or favicons to hide payloads.
Malicious code hidden in SVG images
But as steganography use grew, security firms also started looking and analyzing image files as a place they could find irregularities or hidden web skimmer payloads.
The interesting detail in these recent attacks is that the malicious code wasn't hidden inside PNG or JPG files but in SVG files, a type of image file for loading vector-based images.
Vector images load and drawn grahics with the help of coordinates and mathematical functions, and they're a text-based format, rather than a binary format, which, in theory, would make the detection of malicious payloads even easier than with PNG and JPG files.
However, SanSec says the threat actors were very clever when they designed their payload.
"The malicious payload assumes the form of an HTML < svg > element, using the < path > element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the < svg > element," SanSec said in a report last week.
"While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax," the company added.
SanSec said it found malware gangs testing this technique in June, and on live e-commerce sites in September, with the malicious payload hidden inside social media sharing icons for sites like Google, Facebook, Twitter, Instagram, YouTube, and Pinterest.
On infected stores, once users accessed the checkout page, a secondary component (called a decoder) would read the malicious code hidden inside the social sharing icons and then load a keylogger that recorded and exfiltrated card details entered in the payment form.
End users have very few options available at their disposal when it comes to web skimmer attacks, as this type of code is usually invisible to them and extremely hard to detect, even for professionals.
Furthermore, users shopping on a site have no way at their disposal to know how secure a site really is, and if the store owner invests in security at all.
The simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
These cards are currently provided by some banks or payment apps, and they're currently the best way to deal with web-based skimming as even if attackers manage to record transaction details, the card data is useless as it was generated for one transaction only.