A gang of threat actors is using social media link buttons to hide malicious code that leads to a credit card skimmer. 

Innocuous Images Hide Credit Card Skimmer

These attacks, based on a web skimmer or Magecart script, infect checkout pages with a credit card skimmer, security firm Sanguine Security (SanSec) discovered in November 2020. 

First, attackers disguised the malicious payload, including the credit card skimmer, as an HTML <svg> element. They used syntax resembling legitimate use of Scalable Vector Graphics (SVG). This type of vector image format applies to two-dimensional graphics. To make the image appear safe, the gang named their payloads after one of at least six trusted social media companies. In doing so, they disguised the payload as social media buttons.

Second, they used a decoder to interpret and execute the payload. They could hide the decoder in a different location than their payload. Therefore, it became more difficult for organizations to figure out what was going on if they came across an unusual SVG file.

When a user checked out on an e-commerce site hosting these buttons, this payload activated the credit card number stealer. Threat actors could use the same technique to hide samples of other kinds of malware.

Credit Card Skimmer Concealed in an Image

This might be the first instance of a malicious payload being hidden as a valid image as part of a widespread campaign. But, it’s not the first time they’ve used an image in a credit card skimmer’s attack chain. (Broadly, this technique is also known as a steganography attack. A payload is hidden inside an innocuous image or audio file until it is opened by an online steganography decoder.)

In June 2020, SanSec detected a Magecart attack in which a credit card skimmer attached itself to the compromised checkout page’s submit button. Clicking that button caused the skimmer to seize, serialize and base64 encode the entire checkout form. The campaign then added a temporary image to the Document Object Module with a _preloader identifier. This image sat on the attackers’ server. Therefore, by adding the checkout data to the image address, the attackers were able to successfully exfiltrate the information.

SanSec detected other actors using the same technique in June last year in what could have been a test run for the concealment malware attack. The attackers succeeded in infecting just nine sites, and the credit card skimmer malware was active on just one of them. On all the rest, either the payload or the decoder was missing.

How to Defend Against Evasive Skimmers

Together, these attacks highlight the lengths to which attackers are willing to go in order to hide their malware. It also shows you can’t always detect malware by testing for valid syntax. 

First, organizations that have an online store need to work to prevent malicious actors from injecting a credit card skimmer into their checkout pages. They can do that by protecting the backends of their websites with strong passwords and multifactor authentication. They can also use vulnerability management to scan for security weaknesses that malicious actors could use in order to gain unauthorized access to their domains.

Organizations also need to invest in their ability to detect and respond to attacks such as a credit card skimmer. They can do this by using threat intelligence to stay on top of new attack techniques, leveraging network monitoring to spot data exfiltration attempts and keeping regular data and website backups to restore their websites to a known good state in the event that they detect a compromise.

More from News

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…