Credit card scammers are now being buried in the metadata of image files on e-commerce websites

Cybercriminals using online credit card scammers continue to improve their attack methods, and this time, the malicious code was found buried in the metadata of the image file loaded on e-commerce websites.

The new strategy is “a way to hide credit card scammers to avoid detection,” according to Jeremy Segura, director of the Intelligence Department’s MalwareBits.

Over the past few years, with the gradual rise in popularity of online shopping – due to the current comparative novel coronavirus epidemic – the rise of cybertax dedicated to the secret theft of payment card information used when shopping online.

The term ‘Majkart’ was coined for such attacks after well-known brands, including Ticketmaster and British Airways, were quickly hit in the face, injecting malicious JavaScript into the portal pages of vulnerable websites to collect customer details.

Countless e-commerce domains have fallen victim to MagCart, with a wide range of cybercriminals known specifically for card skimming splitting into separate MagCart groups for tracking purposes.

See also: Skimming code war on Nutri Bullet website puts customer’s credit card data at risk

The cyber security firm has explored the new strategy, described in a blog post published Thursday, which is believed to be the mastermind of the Magkart Group 9.

Originally, when Malwarebitis stumbled upon a file with suspicious-looking images, the team thought it might be related to an older technology that used Favicon to hide scammers, as reported by Zedinet. The technique used in documented attacks provides legitimate favicon in most cases of a website – but saves malicious forms for payment portal pages.

However, it seems that Magkart Group 9 has gone further. The card schemer code is found buried in the XIF metadata of an image file, which will then be loaded by compromised online stores.

Malwarebytis says the detected malicious image loaded a store using a WordPress e-commerce plugin.

The attack is a variation that uses favicon but with a twist. The malicious code is found back on a malicious domain, cddn (.) Site, it is loaded via the favicon file. The code itself did not appear to be corrupted at first glance, a field called “Copyright” in the metadata field loaded the card schemer using a title tag, specifically through an HTML honors event, which triggered an error when loading external resources.

Windows CNET: Twitter challenges millions of accounts every week to see if they are bots

After loading on a compromised website, JavaScript receives input from the fields used to submit payment information, including name, billing address and card details.

The MagCart group relied on the code in XIF data and would not normally send the stolen data via text to any command-and-control server (C2). Instead, the collected data is sent as an image file via post request.

“Threatening actors probably decided to hold on to the theme of the image in order to hide outward information through the file,” the researchers said.

TechRepublic: The phishing attack targeted employees returning to the office

Magkart is thought to have been blamed for Group 9, due to links by security researcher বল AffableCrat to scripts using XIF technology in domains and registrars.

This is not the first time that WordPress e-commerce plugins have linked security issues to several domains by 2020.

Previous and related coverage

Have a tip? Communicate securely via WhatsApp Signal +447713 025 499, or key-base: Charlie at 0 over

Leave a Comment