Cyber criminals are making use of a new technique to inject a software skimmer into checkout pages. The malware developers use malicious payloads concealed as social media buttons that mimic high profile platforms such as Facebook, Twitter and Instagram.
E-skimming occurs when hackers compromise an e-commerce site and insert a malicious code designed to siphon payment card data or personally identifiable information (PII).
Different tactics have been used by the attackers to conduct e-skimming attacks, such as exploiting flaws in the e-commerce platform (i.e. Magento, OpenCart), compromising plugins used by e-commerce platforms in a supply chain attack, injecting software skimmers inside a company’s cloud hosting account that was poorly protected etc.
In some cases, the hackers target the administrators of the platform with social engineering attacks in order to get his credentials and use them to insert the malicious code in the e-store.
The new malware discovered by the researchers at Dutch cyber security firm, Sansec, has two components. A concealed payload and a decoder used to decode the software skimmer and execute the concealed code.
The malicious payload is concealed as social media buttons that mimic social sharing icons such as Facebook, Twitter, and Instagram.
Even though the threat actors have used skimmers concealed within images using steganography before, this malware is the first time that uses a perfectly valid image that cannot be detected by security scanners that only performs syntax checks.
The attackers concealed the software skimmer in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container and named using social media platform names (e.g., google_full, facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full).
These attacks are hard to detect as the decoder is separated from the concealed payload.
It is possible for the attacker to conceal any payload using this technique. According to the researchers, payment skimming is the main purpose of the malware injections.
A similar malware was detected in June using this innovative loading technique. The malicious code was not sophisticated and the experts found it only on 9 sites on a single day. Also, some of the software skimmers were only working partially.
After this new, more sophisticated malware has been detected it is believed that those partially working skimmers must have been used as test runs for the new version detected later.
Image Credits : Freepik