Computer criminals have devised a new infection mechanism that inserts virus code into the meta data of images which are uploaded to eCommerce sites and portals. This method relies on the saving of the code in the meta data which is interpreted and read by the users software which leads to the execution of a data stealing script.
Malware Site Images Inserted in eCommerce Sites: Payment Card Data Can Be Hijacked
A new infection method has been devised by an unknown hacking group by taking advantage of images and their properties. Every image file contains meta data that is interpreted by the web browser. This brigns the possibility of executing the scripts from within the application. In the observed campaign the dangerous code was placed in files that have been uploaded to eCommerce sites. There are two likely scenarios that are possible:
- Hacked Portal Pages — In this case the hackers have been able to infiltrate the pages and insert the relevant malware-infected files.
- Script Uploading — Some of the dynamic features of the portals allow for the uploading of images. When they are placed in the site in the web-facing parts which can then be accessed by viewers the script will be initialized.
The criminal group(s) which are behind the attacks have devised this approach as it extracts sensitive payment data from the relevant order pages. This is done by hijacking the information that is entered by the site visitors. This approach comes after several similar attacks have been carried out, including ones that are targeted against Magecart sites.
Upon further investigation the current campaign is focused on inserting the skimming code in two instances. The first one was on an online store running the WooCommerce plugin which is compatible with the popular WordPress content management system. This is a very popular approach which is widely considered by website owners. The other instance is by inserting a favicon image to a hacker-controlled server. The meta data related to this website element was found to contain malware EXIF code.
The next step following the execution of the malware code is the starting up of JavaScript code which is made part of the Copyright section of the image. The actual skimming code will read and steal the contents from the input fields which are present in the site. This includes sensitive data including the following:
- Name
- Billing Address
- Payment Card Details
- Contact Information
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: