February 1, 2021 By David Bisson 2 min read

A gang of threat actors is using social media link buttons to hide malicious code that leads to a credit card skimmer. 

Innocuous Images Hide Credit Card Skimmer

These attacks, based on a web skimmer or Magecart script, infect checkout pages with a credit card skimmer, security firm Sanguine Security (SanSec) discovered in November 2020. 

First, attackers disguised the malicious payload, including the credit card skimmer, as an HTML <svg> element. They used syntax resembling legitimate use of Scalable Vector Graphics (SVG). This type of vector image format applies to two-dimensional graphics. To make the image appear safe, the gang named their payloads after one of at least six trusted social media companies. In doing so, they disguised the payload as social media buttons.

Second, they used a decoder to interpret and execute the payload. They could hide the decoder in a different location than their payload. Therefore, it became more difficult for organizations to figure out what was going on if they came across an unusual SVG file.

When a user checked out on an e-commerce site hosting these buttons, this payload activated the credit card number stealer. Threat actors could use the same technique to hide samples of other kinds of malware.

Credit Card Skimmer Concealed in an Image

This might be the first instance of a malicious payload being hidden as a valid image as part of a widespread campaign. But, it’s not the first time they’ve used an image in a credit card skimmer’s attack chain. (Broadly, this technique is also known as a steganography attack. A payload is hidden inside an innocuous image or audio file until it is opened by an online steganography decoder.)

In June 2020, SanSec detected a Magecart attack in which a credit card skimmer attached itself to the compromised checkout page’s submit button. Clicking that button caused the skimmer to seize, serialize and base64 encode the entire checkout form. The campaign then added a temporary image to the Document Object Module with a _preloader identifier. This image sat on the attackers’ server. Therefore, by adding the checkout data to the image address, the attackers were able to successfully exfiltrate the information.

SanSec detected other actors using the same technique in June last year in what could have been a test run for the concealment malware attack. The attackers succeeded in infecting just nine sites, and the credit card skimmer malware was active on just one of them. On all the rest, either the payload or the decoder was missing.

How to Defend Against Evasive Skimmers

Together, these attacks highlight the lengths to which attackers are willing to go in order to hide their malware. It also shows you can’t always detect malware by testing for valid syntax. 

First, organizations that have an online store need to work to prevent malicious actors from injecting a credit card skimmer into their checkout pages. They can do that by protecting the backends of their websites with strong passwords and multifactor authentication. They can also use vulnerability management to scan for security weaknesses that malicious actors could use in order to gain unauthorized access to their domains.

Organizations also need to invest in their ability to detect and respond to attacks such as a credit card skimmer. They can do this by using threat intelligence to stay on top of new attack techniques, leveraging network monitoring to spot data exfiltration attempts and keeping regular data and website backups to restore their websites to a known good state in the event that they detect a compromise.

More from News

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today