Hackers hide Magecart script in favicon image's EXIF data to steal credit card details
EXIF format enables people to store interchange information in digital photography image files using JPEG compression
Researchers at cyber security firm Malwarebytes have discovered a new Megecart campaign that used malicious scripts hidden in the EXIF data of a favicon image to steal payment card details of customers.
Exchangeable Image File (EXIF) is a format used for storing interchange information in digital photography image files using JPEG compression. Developers generally use this format to embed information such as artist name, details about the camera, copyright information, etc.
"The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit card skimmer," Malwarebytes' researchers stated in the report.
According to researchers, they recently found an online store that was being attacked by hackers through a Magecart script.
This specific Magecart campaign appeared to be somewhat different from other campaigns as the malicious script used to steal data from payment page was added in the EXIF data for a remote site's favicon image, rather than being added directly to the site.
In the compromised website, hackers added a simple script whose primary function was to insert a remote favicon image and to perform some processing. When researchers examined the favicon image, they found its EXIF data containing some malicious JavaScript scripts that were evidently embedded by hackers.
When the page loaded favicon image, the simple scripts that were earlier added to the site would load the image's embedded skimmer scripts. These scripts then sent back to cyber crooks any credit card data submitted by a customer on checkout pages.
As skimmer scripts were not inserted on the hacked site, it became much easier for hackers to carry out their malicious activities without being noticed by security software or security researchers.
The researchers said they have some evidence to suggest that 'Magecart 9' threat group is likely behind this attack.
The number of web-skimming attacks is constantly on the rise, according to cyber security experts.
Last month, Malwarebytes researchers warned about a cyber campaign in which hackers used fake icons on various websites to steal payment card details from compromised e-commerce websites.
The researchers said they discovered several compromised Magento websites which loaded data skimmer instead of the legitimate website favicon on their payment checkout pages.
In October last year, researchers also said that up to 20,000 ecommerce websites were at risk of Magecart attacks following Volusion server compromise.
In 2018, a Magecart attack on British Airways also compromised credit card details of around 500,000 customers.
More on Hacking
Australia says it is dealing with massive cyber attacks from sophisticated state-based actor
Hackers are targeting Australian organisations across a broad range of sectors, according to Prime Minister Morrison
Operation In(ter)ception: Hackers target aerospace companies via LinkedIn recruitment messages
Hackers first sent an exciting job offer via LinkedIn to aerospace executives while posing themselves as recruiters from well-known firms, such as General Dynamics and Collins Aerospace
Honda suffers suspected ransomware attack
The company says a 'security incident' caused disruption to its computer network and loss of connectivity
State-sponsored threat groups targeted email accounts of Trump and Biden campaign staff: Google
Biden campaign members says they are prepared for such attacks and were expecting them
REvil ransomware gang launches auction site to sell stolen data
The group has threatened to sell Madonna's legal documents in a future auction
