Cybercriminals using online credit card scammers continue to improve their attack methods, and this time, the malicious code was found buried in the metadata of the image file loaded on e-commerce websites.
The new strategy is “a way to hide credit card scammers to avoid detection,” according to Jeremy Segura, director of the Intelligence Department’s MalwareBits.
Over the past few years, with the gradual rise in popularity of online shopping – due to the current comparative novel coronavirus epidemic – the rise of cybertax dedicated to the secret theft of payment card information used when shopping online.
Countless e-commerce domains have fallen victim to MagCart, with a wide range of cybercriminals known specifically for card skimming splitting into separate MagCart groups for tracking purposes.
See also: Skimming code war on Nutri Bullet website puts customer’s credit card data at risk
The cyber security firm has explored the new strategy, described in a blog post published Thursday, which is believed to be the mastermind of the Magkart Group 9.
Originally, when Malwarebitis stumbled upon a file with suspicious-looking images, the team thought it might be related to an older technology that used Favicon to hide scammers, as reported by Zedinet. The technique used in documented attacks provides legitimate favicon in most cases of a website – but saves malicious forms for payment portal pages.
However, it seems that Magkart Group 9 has gone further. The card schemer code is found buried in the XIF metadata of an image file, which will then be loaded by compromised online stores.
Malwarebytis says the detected malicious image loaded a store using a WordPress e-commerce plugin.
The attack is a variation that uses favicon but with a twist. The malicious code is found back on a malicious domain, cddn (.) Site, it is loaded via the favicon file. The code itself did not appear to be corrupted at first glance, a field called “Copyright” in the metadata field loaded the card schemer using a title tag, specifically through an HTML honors event, which triggered an error when loading external resources.
Windows CNET: Twitter challenges millions of accounts every week to see if they are bots
The MagCart group relied on the code in XIF data and would not normally send the stolen data via text to any command-and-control server (C2). Instead, the collected data is sent as an image file via post request.
“Threatening actors probably decided to hold on to the theme of the image in order to hide outward information through the Favicon.eco file,” the researchers said.
TechRepublic: The phishing attack targeted employees returning to the office
Magkart is thought to have been blamed for Group 9, due to links by security researcher বল AffableCrat to scripts using XIF technology in domains and registrars.
This is not the first time that WordPress e-commerce plugins have linked security issues to several domains by 2020.
Previous and related coverage
Have a tip? Communicate securely via WhatsApp Signal +447713 025 499, or key-base: Charlie at 0 over