A gang of threat actors is using social media link buttons to hide malicious code that leads to a credit card skimmer. 

Innocuous Images Hide Credit Card Skimmer

These attacks, based on a web skimmer or Magecart script, infect checkout pages with a credit card skimmer, security firm Sanguine Security (SanSec) discovered in November 2020. 

First, attackers disguised the malicious payload, including the credit card skimmer, as an HTML <svg> element. They used syntax resembling legitimate use of Scalable Vector Graphics (SVG). This type of vector image format applies to two-dimensional graphics. To make the image appear safe, the gang named their payloads after one of at least six trusted social media companies. In doing so, they disguised the payload as social media buttons.

Second, they used a decoder to interpret and execute the payload. They could hide the decoder in a different location than their payload. Therefore, it became more difficult for organizations to figure out what was going on if they came across an unusual SVG file.

When a user checked out on an e-commerce site hosting these buttons, this payload activated the credit card number stealer. Threat actors could use the same technique to hide samples of other kinds of malware.

Credit Card Skimmer Concealed in an Image

This might be the first instance of a malicious payload being hidden as a valid image as part of a widespread campaign. But, it’s not the first time they’ve used an image in a credit card skimmer’s attack chain. (Broadly, this technique is also known as a steganography attack. A payload is hidden inside an innocuous image or audio file until it is opened by an online steganography decoder.)

In June 2020, SanSec detected a Magecart attack in which a credit card skimmer attached itself to the compromised checkout page’s submit button. Clicking that button caused the skimmer to seize, serialize and base64 encode the entire checkout form. The campaign then added a temporary image to the Document Object Module with a _preloader identifier. This image sat on the attackers’ server. Therefore, by adding the checkout data to the image address, the attackers were able to successfully exfiltrate the information.

SanSec detected other actors using the same technique in June last year in what could have been a test run for the concealment malware attack. The attackers succeeded in infecting just nine sites, and the credit card skimmer malware was active on just one of them. On all the rest, either the payload or the decoder was missing.

How to Defend Against Evasive Skimmers

Together, these attacks highlight the lengths to which attackers are willing to go in order to hide their malware. It also shows you can’t always detect malware by testing for valid syntax. 

First, organizations that have an online store need to work to prevent malicious actors from injecting a credit card skimmer into their checkout pages. They can do that by protecting the backends of their websites with strong passwords and multifactor authentication. They can also use vulnerability management to scan for security weaknesses that malicious actors could use in order to gain unauthorized access to their domains.

Organizations also need to invest in their ability to detect and respond to attacks such as a credit card skimmer. They can do this by using threat intelligence to stay on top of new attack techniques, leveraging network monitoring to spot data exfiltration attempts and keeping regular data and website backups to restore their websites to a known good state in the event that they detect a compromise.

More from News

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…