Hackers have come up with a clever method to steal payment card data from compromised online stores that reduces the suspicious traffic footprint and helps them evade detection.
The hackers hide the card info in a JPG image and store it in the hacked website rather than sending the details to a server they control.
The new exfiltration technique was spotted by the security researchers at website security company Sucuri while investigating a compromised online shop running version 2 of the open-source Magento e-commerce platform.
These attacks called as Magecart attacks is performed by threat actors by gaining access to an online store through a vulnerability and insert malicious code designed to steal customer card data at checkout.
Sucuri found a PHP file on the compromised website that the hackers had modified to load additional malicious code by creating and calling the getAuthenticates function.
A code created in a public location of the infected website, store a JPG image that would be used to store payment card data from customers in encoded form.
This permitted the attackers to easily download the information as a JPG file without arousing any suspicions as it would look like a visitor simply downloading an image from the website.
On analyzing the code, the researchers found that the malicious code used the Magento framework to capture the information from the checkout page delivered through the Customer_ parameter.
If the customer providing the card data was logged in as a user, the code stole their email address as well.
According to the researchers almost all data submitted on the checkout page is present in the Customer_ parameter, which includes payment card details, phone number, and postal address.
This information is more than enough to perform credit card fraud either directly by the hackers or by another party purchasing the data, or to deploy more targeted phishing and spam campaigns.
The researchers stated that this technique is stealthy for website owners to miss when checking for an infection. But integrity control checks and website monitoring services will be able to detect changes such as code modifications or new files being added.
Image Credits : TechSpot