Cyber attackers are always looking for new and different ways to steal payment card data from online stores. One novel exfiltration technique uncovered by researchers is to hide the card information in a .JPG image and store it on an infected website instead of sending the card info to a server they control. This not only minimizes suspicious traffic, but also helps these cyber criminals avoid possible detection.
This technique was uncovered during a recent investigation of a compromised website that was using the Magento 2 e-commerce platform. A malicious injection of code was capturing POST request data from visitors on the site. Located on the checkout page, it was found to encode captured data and save it to a .JPG file.
These types of cyber incidents are known as Magecart attacks, a type of data skimming that targets e-commerce websites in order to steal personal data during the checkout process. Magecart started out focusing on Magento, a leading e-commerce platform that is now owned by Adobe. It has since expanded to include all other major e-commerce platforms including Shopify and OpenCart.
Magecart also infects e-commerce plug-ins for WordPress, the world’s most widely used web publishing system. To be clear, Magecart is not just an exploit type. It is also a loose affiliation of cybercriminal gangs that pursue this type of data skimming. There are multiple cybercriminal gangs using these techniques to steal personal data and profit from reselling credit card numbers on the dark web.
Here’s how it works. A Magecart attacker will insert malicious JavaScript into the code base of a website or mobile application. This malicious code is executed on the end user’s browser without their knowledge and secretly captures sensitive information from online payment forms, including email addresses, passwords and credit card details. The Magecart code then exports captured data to a server in a different location using a variety of creative techniques. It is very difficult for shoppers to know what is happening; they only experience what appears to be a normal transaction. Magecart makes code changes that are subtle and often obfuscated behind several evasion steps. It’s also difficult for owners of the website or mobile app to know exactly what’s happening since this code executes on the end user’s browser, outside all the security and monitoring systems on the application servers.
Magecart attackers are always looking for novel techniques for injecting the malicious Shadow Code and exfiltrating the data in ways they can evade detection using conventional techniques.
In this latest attack, there is no direct communication between the compromised site and the attackers. Instead, the stolen data is left behind on the Magento server in the form of a .JPG file that can be retrieved later. Businesses must continuously monitor their web applications and ensure they stay current with security updates. Consumers must continue to monitor their credit card statements and report any fraudulent activity immediately.
