Credit card skimmers are now being buried in image file metadata on e-commerce websites

Magecart attackers are suspected of using an interesting technique to steal your financial data.
Written by Charlie Osborne, Contributing Writer

Cybercriminals making use of online credit card skimmers continue to improve their attack methods, and this time, malicious code has been found buried in image file metadata loaded by e-commerce websites. 

According to Jérôme Segura, Malwarebytes Director of Threat Intelligence, the new technique is a way to "hide credit card skimmers in order to evade detection."

Over the past few years, with the gradual increase of popularity in online shopping -- now more so than ever due to the novel coronavirus pandemic -- has given rise to cyberattacks dedicated to the covert theft of payment card information used when making online purchases. 

After well-known brands were hit in quick succession, including Ticketmaster and British Airways, the term 'Magecart' was coined for these types of attacks, in which malicious JavaScript is injected into the payment portal pages of vulnerable websites in order to harvest customer details for as long as possible without detection. 

Countless e-commerce domains have become victims to Magecart, of which prolific cybercriminal gangs known to specialize in card skimming have been split up and named as separate Magecart groups for tracking purposes. 

See also: Skimming code battle on NutriBullet website may have risked customer credit card data

The cybersecurity firm has explored the new technique, described in a blog post published on Thursday, which is believed to be the handiwork of Magecart Group 9.

Originally, when Malwarebytes stumbled across a suspicious-looking image file, the team thought it may be related to an older technique that uses favicons to hide skimmers, as previously reported by ZDNet. The technique used in documented attacks serves legitimate favicons to the bulk of a website -- but saves malicious variants for payment portal pages.

However, it seems Magecart Group 9 has gone further. Card skimmer code was found buried within the EXIF metadata of an image file, which would then be loaded by compromised online stores. 

Malwarebytes says the malicious image detected was loaded by a store using a WordPress e-commerce plugin. 

The attack is a variation that uses favicons, but with a twist. Malicious code was tracked back to a malicious domain, cddn[.]site, that is loaded via a favicon file. While the code itself did not appear malicious at first glance, a field called "Copyright" in the metadata field loaded the card skimmer using an < img > header tag, specifically via an HTML onerror event, which triggers if an error occurs when loading an external resource.

CNET: Twitter challenges millions of accounts every week to determine if they're bots or not

When loaded onto a compromised website, the JavaScript grabs input from fields used to submit payment information, including names, billing addresses, and card details. 

The Magecart group obfuscated the code within the EXIF data, and unusually, will not simply send stolen data via text to a command-and-control server (C2). Instead, data collected is also sent as image files via POST requests. 

"The threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the favicon.ico file," the researchers say. 

TechRepublic: Phishing attacks target workers returning to the office

It is thought that Magecart Group 9 is to blame, due to links made by security researcher @AffableKraut to domains and registrars also hosting scripts using the EXIF technique. 

This is not the first time that WordPress e-commerce plugins have been connected to security issues over 2020. Several months ago, a bug was discovered in the Flexible Checkout Fields for WooCommerce plugin which permitted attackers to use XSS payloads to create administrator accounts on vulnerable domains.

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards