Credit card skimmers hide in web page image files

Credit card skimmers hide in web page image files
Legitimate JavaScript library injected with additional code. Credit: Malwarebytes

A particularly nasty form of consumer credit card theft centers on the use of skimming devices embedded in credit card machines at locations such as gas stations and convenience stores. As a customer swipes a card, the hidden device records the name, number and expiration date on the card.

Leave it to the ingenuity of digital criminals to dispense with the need for a physical credit card and instead devise a way to gather the same data through online transactions.

The cybersecurity company Malwarebytes reported this week a new twist on an old form of online scam. Hackers, they said, are inserting malicious inside image files on web sites that set the stage for capturing users' personal data.

The code is inserted into a favicon, the company's tiny logo or related image file that appears on a browser's web page tab or along the address bar. All images contain EXIF data that are used for non-visual, text information such as image description, camera settings and copyright notices.

"When we first investigated this campaign, we thought it may be another one of those favicon tricks," Malwarebytes explained. "However, it turned out to be different and even more devious."

In a variant of what researchers call a magecart attack, hackers ignore the favicon throughout most of the site. Instead, they surreptitiously insert code only into the favicon that appears on the checkout page of a website. The latest scam has been detected mainly on the WooCommerce plugin used for digital storefronts on web sites hosted by Wordpress. Researchers say the plugin's popularity and widespread use make it a ripe target for hackers.

Implanting malicious code on web sites is not uncommon. The new twist here is the use of steganography (the embedding of ) in a favicon for the purpose of stealing credit card information.

The personal data is in turn stored in another image file that the hackers subsequently download.

Malewarebytes said an analysis of the code indicates a likely connection to the Bulgarian ring Magecart Group 9.

Magecart attacks have been around for about four years. Wired magazine listed the group behind the attacks on their list of Most Dangerous People on the Internet in 2018.

Among the groups targets have been Ticketmaster, New Egg Electronics, Forbes magazine subscribers and British Airways.

While hackers are continually devising new and creative ways to get their hands on your cash, it's still best to maintain an up-to-date anti-virus or anti-malware suite on your devices. Also banks offer apps that generate one-time-only, on-the-spot credit-card numbers for online purchases that ensure if the card number falls into unauthorized hands, it cannot be used again.

Cyberthreat security firm Sophos recommends keeping plugins up to date with the latest security patches and also advises online merchants to change the default Wordpress username in settings from "admin" to something harder for hackers to determine.

More information: … rds-via-image-files/

© 2020 Science X Network

Citation: Credit card skimmers hide in web page image files (2020, June 29) retrieved 1 March 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Sears says that some Kmart stores targets of security breach


Feedback to editors