Hackers hide web skimming code behind a website’s favicon
Cybercrime gangs are now hiding malicious code in the metadata of image files in order to covertly steal payment card information entered by visitors on hacked websites. This is part of one of the most innovative hacking campaigns nowadays.
In a post from last week, researchers from Malwarebytes have reported that they have found skimming code embedded inside the metadata of an image file. The code is loaded surreptitiously by compromised online stores.
It is not new for criminals to use the disguise of an image file to launch a malicious code. However, this method of attack is rapidly evolving and employing a variety of stealthy and very nasty means of exfiltrating credit card data.
Considering the increasing trend of online shopping, these attacks usually operate by injecting malicious code into a compromised site which starts to harvest and send user-entered data to a server controlled by cyber criminals, thereby providing the offenders with access to payment details of the shopper and other confidential info.
In this week-old web skimming campaign, the cybersecurity researchres from Malwarebytes have found that the skimmer was not only detected on an online store operating the WooCommerce WordPress app, but also included inside the Exchangeable Image File Format (EXIF) metadata for a dubious domain’s (cddn.site) favicon image.
Typically, each image comes embedded with some EXIF info which contains image information such as camera manufacturer and model, photo date and time, location, resolution, and camera settings, among other details.
It is not the first time Magecart criminal organizations have used images as tools to attack e-commerce pages. In May this year, several hacked websites were observed loading a malicious favicon on their checkout pages, and then replacing the legitimate online payment forms with a fraudulent ones that steal card details from users.
Abuse of the DNS Protocol for browser data exfiltration.
Sadly, attacks aimed at stealing data are not limited to malicious skimmer technology only. It is possible to pilfer data from the web browser by leveraging DNS-prefetch, according to a demonstration technique shown by Jessie Li. Dubbed the “browsertunnel”, this is a technique that may be used to gather confidential details when users perform specific actions on a website and then exfiltrate these details to a server by disguising them as DNS traffic. As Li explains, “the DNS traffic does not appear in the browser’s debugging tools, is not blocked by Content Security Policy (CSP) on a page, and is often not inspected by corporate firewalls or proxies…” This is making it a perfect means for stealing data without limits.