Hackers hide web skimming code inside Metadata

Hackers hide web skimming code behind a website’s favicon

Cybercrime gangs are now hiding malicious code in the metadata of image files in order to covertly steal payment card information entered by visitors on hacked websites. This is part of one of the most innovative hacking campaigns nowadays.

web skimming

Web skimming and Magecart attacks are more popular than ever.

In a post from last week, researchers from Malwarebytes have reported that they have found skimming code embedded inside the metadata of an image file. The code is loaded surreptitiously by compromised online stores.

It is not new for criminals to use the disguise of an image file to launch a malicious code. However, this method of attack is rapidly evolving and employing a variety of stealthy and very nasty means of exfiltrating credit card data.

The main tactic of the innovative hacking campaign that has recently been reported is commonly known as web skimming or a Magecart attack. The attack comes when bad actors discover new ways to insert JavaScript code, like misconfigured AWS S3 data storage buckets, and manipulate user protection policies for transferring data to a Google Analytics account under their control.

Considering the increasing trend of online shopping, these attacks usually operate by injecting malicious code into a compromised site which starts to harvest and send user-entered data to a  server controlled by cyber criminals, thereby providing the offenders  with access to payment details of the shopper and other confidential info.

In this week-old web skimming campaign, the cybersecurity researchres from Malwarebytes have found that the skimmer was not only detected on an online store operating the WooCommerce WordPress app, but also included inside the Exchangeable Image File Format (EXIF) metadata for a dubious domain’s (cddn.site) favicon image.  

Typically, each image comes embedded with some EXIF info which contains image information such as camera manufacturer and model, photo date and time, location, resolution, and camera settings, among other details.

The researchers explained that, using this EXIF info, the hackers have executed a piece of JavaScript hidden inside the favicon image’s “Copyright” section. They also added that a JavaScript skimmer inserted in this way can often catch the content of input fields where online shoppers type their name, billing address and information of their credit card.  

While dubbing the Magecart Group 9 as the criminal group behind the last-weeks skimming operation, Malwarebytes added that the skimmer’s JavaScript code has been obsufcated using the WiseLoop PHP JS Obfuscator library. In addition to encoding the intercepted information using the Base64 format and reversing the output string, the extracted data has been transmitted as an image file to mask the method of exfiltration.

It is not the first time Magecart criminal organizations have used images as tools to attack e-commerce pages. In May this year, several hacked websites were observed loading a malicious favicon on their checkout pages, and then replacing the legitimate online payment forms with a fraudulent ones that steal card details from users.

Abuse of the DNS Protocol for browser data exfiltration.

Sadly, attacks aimed at stealing data are not limited to malicious skimmer technology only.  It is possible to pilfer data from the web browser by leveraging DNS-prefetch, according to a demonstration technique shown by Jessie Li. Dubbed the “browsertunnel”, this is a technique that may be used to gather confidential details when users perform specific actions on a website and then exfiltrate these details to a server by disguising them as DNS traffic. As Li explains,  “the DNS traffic does not appear in the browser’s debugging tools, is not blocked by Content Security Policy (CSP) on a page, and is often not inspected by corporate firewalls or proxies…” This is making it a perfect means for stealing data without limits.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment

SSL Certificate

Web Safety Checker

About Us

HowToRemove.Guide is your daily source for online security news and tutorials. We also provide comprehensive and easy-to-follow malware removal guides. Watch our videos on interesting IT related topics.

Contact Us: info@howtoremove.guide

HowToRemove.Guide © 2024. All Rights Reserved.

Exit mobile version