February 1, 2021 By David Bisson 2 min read

A gang of threat actors is using social media link buttons to hide malicious code that leads to a credit card skimmer. 

Innocuous Images Hide Credit Card Skimmer

These attacks, based on a web skimmer or Magecart script, infect checkout pages with a credit card skimmer, security firm Sanguine Security (SanSec) discovered in November 2020. 

First, attackers disguised the malicious payload, including the credit card skimmer, as an HTML <svg> element. They used syntax resembling legitimate use of Scalable Vector Graphics (SVG). This type of vector image format applies to two-dimensional graphics. To make the image appear safe, the gang named their payloads after one of at least six trusted social media companies. In doing so, they disguised the payload as social media buttons.

Second, they used a decoder to interpret and execute the payload. They could hide the decoder in a different location than their payload. Therefore, it became more difficult for organizations to figure out what was going on if they came across an unusual SVG file.

When a user checked out on an e-commerce site hosting these buttons, this payload activated the credit card number stealer. Threat actors could use the same technique to hide samples of other kinds of malware.

Credit Card Skimmer Concealed in an Image

This might be the first instance of a malicious payload being hidden as a valid image as part of a widespread campaign. But, it’s not the first time they’ve used an image in a credit card skimmer’s attack chain. (Broadly, this technique is also known as a steganography attack. A payload is hidden inside an innocuous image or audio file until it is opened by an online steganography decoder.)

In June 2020, SanSec detected a Magecart attack in which a credit card skimmer attached itself to the compromised checkout page’s submit button. Clicking that button caused the skimmer to seize, serialize and base64 encode the entire checkout form. The campaign then added a temporary image to the Document Object Module with a _preloader identifier. This image sat on the attackers’ server. Therefore, by adding the checkout data to the image address, the attackers were able to successfully exfiltrate the information.

SanSec detected other actors using the same technique in June last year in what could have been a test run for the concealment malware attack. The attackers succeeded in infecting just nine sites, and the credit card skimmer malware was active on just one of them. On all the rest, either the payload or the decoder was missing.

How to Defend Against Evasive Skimmers

Together, these attacks highlight the lengths to which attackers are willing to go in order to hide their malware. It also shows you can’t always detect malware by testing for valid syntax. 

First, organizations that have an online store need to work to prevent malicious actors from injecting a credit card skimmer into their checkout pages. They can do that by protecting the backends of their websites with strong passwords and multifactor authentication. They can also use vulnerability management to scan for security weaknesses that malicious actors could use in order to gain unauthorized access to their domains.

Organizations also need to invest in their ability to detect and respond to attacks such as a credit card skimmer. They can do this by using threat intelligence to stay on top of new attack techniques, leveraging network monitoring to spot data exfiltration attempts and keeping regular data and website backups to restore their websites to a known good state in the event that they detect a compromise.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today