Crooks are hiding payment skimmers in plain sight on retailer websites, using social contact buttons in a way that's hard for security protection to spot.
Security firm Sansec calls it a form of steganography, or hiding a message within another message, that is now surfacing as a weapon for cyber criminals.
For the crooks it's easy prey because the social media buttons and sites look normal to users, but are disconnected behind the scenes. They're "Franken-sites" with many different parts (third parties) providing security and other features. Fraudsters place skimmer malware in devious, unexpected ways that takes advantage of these moving parts.
"While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image," said
The malicious payload assumes the form of an html element, using it as a container and concealing it with syntax that strongly resembles correct use of the html element, Sansec said. The malware's creator has named it after social media companies, using major names in their coding such as Google, Facebook, Twitter and others.
After using the malware to capture and skim a retailer's payment form, the fraudster waits for a customer making a transaction to click on a social media logo in order to share information with others. The payment skimmer malware takes over from there in obtaining information to fill out the form.
“This attack implants malicious code into websites to skim and steal credit card info, and then the decoder reads the victim’s information and pretends to be someone checking out, executing the cleverly hidden code," said Chloe Messdaghi, vice president of strategy at Baltimore-based Point3 Security.
“Attackers have to get into a retailer’s website, skim information from the checkout form, and send that information back to their server," Messdaghi added. "Steganography certainly adds a new twist on this type of attack, and the threat actors have intentionally chosen social media logo images that look inherently legit and trustworthy. But steganography aside, the fundamental injection attack type is one we’ve seen often."
It's not that retailer websites have social media logos that is the primary threat. The sites have a security vulnerability that either allows an attacker to put the buttons there or modify the existing ones, Messdaghi said.
By putting hidden payment skimmers behind social media buttons, the fraudsters are looking to not only fool the shopper as a victim, but also the site developers and security teams as well, she added.
These types of attacks will continue to succeed because even the most major online brands use code and plugins developed by third, fourth or even fifth parties, Messdaghi said, meaning there is no centralized ownership of and responsibility for what’s authentic and what’s not. "That’s the problem," she added.
The new payment skimmer attacks are similar to
It's "capitalizing on the tendency of certain demographics, especially younger consumers, to overshare on social media with 'social' shopping," said Julie Conroy, research director and fraud expert at Aite Group.
"You do see this on a number of retailers websites — the ability to share what you’ve just purchased to your feed," Conroy said. "While injection attacks have been around for quite a while and are nothing new, this adds a new dimension, one more aspect of a retailer’s website they need to be vigilant in ensuring there are adequate security controls in place."
Sansec noted it had detected similar malware in June of 2020, but now believes it may have been a test run for the payment skimmer, which was first found on live sites in mid-September.
“These attackers were of course savvy in choosing to embed their injection attack in innocuous, ubiquitous images from popular social media platforms," Point3's Messdaghi said. "Welcome to the future – until every retailer from largest to smallest realizes that their transaction websites are 'Franken-sites' made up of third-party pieces, and they become scrupulous about thoroughly and continually monitoring their sites, these attacks will only become more frequent and successful.”
