Hackers hide Magecart script in favicon image's EXIF data to steal credit card details

EXIF format enables people to store interchange information in digital photography image files using JPEG compression

Researchers at cyber security firm Malwarebytes have discovered a new Megecart campaign that used malicious scripts hidden in the EXIF data of a favicon image to steal payment card details of customers.

Exchangeable Image File (EXIF) is a format used for storing interchange information in digital photography image files using JPEG compression. Developers generally use this format to embed information such as artist name, details about the camera, copyright information, etc.

"The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit card skimmer," Malwarebytes' researchers stated in the report.

According to researchers, they recently found an online store that was being attacked by hackers through a Magecart script.

This specific Magecart campaign appeared to be somewhat different from other campaigns as the malicious script used to steal data from payment page was added in the EXIF data for a remote site's favicon image, rather than being added directly to the site.

In the compromised website, hackers added a simple script whose primary function was to insert a remote favicon image and to perform some processing. When researchers examined the favicon image, they found its EXIF data containing some malicious JavaScript scripts that were evidently embedded by hackers.

When the page loaded favicon image, the simple scripts that were earlier added to the site would load the image's embedded skimmer scripts. These scripts then sent back to cyber crooks any credit card data submitted by a customer on checkout pages.

As skimmer scripts were not inserted on the hacked site, it became much easier for hackers to carry out their malicious activities without being noticed by security software or security researchers.

The researchers said they have some evidence to suggest that 'Magecart 9' threat group is likely behind this attack.

The number of web-skimming attacks is constantly on the rise, according to cyber security experts.

Last month, Malwarebytes researchers warned about a cyber campaign in which hackers used fake icons on various websites to steal payment card details from compromised e-commerce websites.

The researchers said they discovered several compromised Magento websites which loaded data skimmer instead of the legitimate website favicon on their payment checkout pages.

In October last year, researchers also said that up to 20,000 ecommerce websites were at risk of Magecart attacks following Volusion server compromise.

In 2018, a Magecart attack on British Airways also compromised credit card details of around 500,000 customers.