Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection.

According to Jérôme Segura, Malwarebytes Director of Threat Intelligence, the new technique is a way to “hide credit card skimmers in order to evade detection.”

Over the past few years, with the gradual increase of popularity in online shopping — now more so than ever due to the novel coronavirus pandemic — has given rise to cyber-attacks dedicated to the covert theft of payment card information used when making online purchases. 

A common attack used to steal credit cards is to hack the website and inject malicious JavaScript scripts that steal submitted payment information when a customer makes a purchase. These stolen credit cards are then sent back to a server under the control of the threat actors where they are collected and used for fraudulent purchases or to sell on dark web criminal markets.

The offending code loads a favicon file from cddn[.]site/favicon.ico which turns out to be the same favicon used by the compromised store (a logo of their brand).

malwarebytes
Source : malwarebytes

In a new report by Malwarebytes, an online store using the WordPress WooCommerce plugin was found to be infected with a Magecart script to steal customer’s credit cards.

What made this attack stand out was that the scripts used to capture data from payment forms were not added directly to the site but were contained in the EXIF data for a remote site’s favicon image.

READ
Fidelity Reduces Value of Musk’s X by 79 Percent, Platform Likely worth $9.4 Billion

“The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit card skimmer,” Malwarebytes’ Jérôme Segura stated in the report.

When images are created, the developer can embed information such as the artist who created it, information about the camera, copyright info, and even the location of the picture. This information is called the Exchangeable Image File Format (EXIF) data.

In this attack, the threat actors hacked a website and added what appears to be a simple script that inserts a remote favicon image and does some processing.

After further investigation, Malwarebytes discovered that this favicon, while appearing harmless, actually contained malicious JavaScript scripts embedded in its EXIF data, as shown in the image below.

Buy Me A Coffee
Source : malwarebytes

Once the favicon image was loaded into the page, the scripts added to the site by the hackers would load the image’s embedded malicious skimmer scripts.

Once these scripts were loaded, any credit card information submitted on checkout pages was sent back to the attackers where they could be collected at their leisure.

Source : Malwarebytes

Finally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a domain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same registrar, and was registered within a week of magerates[.]com.

Indicators of Compromise

EXIF skimmers

cddn[.]site
magentorates[.]com
pixasbay[.]com
lebs[.]site
bestcdnforbusiness[.]com
apilivechat[.]com
undecoveria[.]com
wosus[.]site

Older EXIF skimmer

jqueryanalise[.]xyz
jquery-analitycs[.]com

Skimmer #3

xciy[.]net
yxxi[.]net
cxizi[.]net
yzxi[.]net

Other skimmers

sonol[.]site
webtrans[.]site
koinweb[.]site
xoet[.]site
ads-fbstatistic[.]com
bizrateservices[.]com
towbarchat[.]com
teamsystems[.]info
j-queries[.]com

Registrant emails

anya.barber56@gmail[.]com
smithlatrice100@yahoo[.]com
rotrnberg.s4715@gmail[.]com
newserf@mail[.]ru
READ
SpaceX Pauses Falcon 9 Flights After Crew-9 Launch Anomaly