Hackers have adopted a new way to steal payment card information from e-commerce websites: Inserting skimming code in the metadata of image files to exfiltrate data and to evade detection.
The new trick was detected by security geeks at MalwareBytes last week. In a blog past published last Saturday, the security firm said hackers have been hiding skimming code within the metadata of image files, loading them on compromised online stores, and also stealing payment card information using the disguise of image files.
“The malicious code we detected was loaded from an online store running the WooCommerce plugin for WordPress. WooCommerce is increasingly being targeted by criminals, and for good reason, as it has a large market share,” the firm noted.
Upon further analysis, the researchers found that hackers are using the Copyright metadata field of the merchant’s logo to load their web skimmer. While image headers have been abused before to hide malicious code, this was the first time, according to MalwareBytes, that an image header had been used to hide a credit card skimmer.
According to MalwareBytes, there is evidence to suggest that the skimmer may have ties to Magecart Group 9 as the domain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same registrar, and was registered within a week of magerates[.]com.
The Magecart hacker group, that regularly injects credit card skimming codes into e-commerce websites to steal payment card details, gained prominence in 2018 after it stole large volumes of customer data from the websites of the likes of TicetMaster UK, Newegg, and British Airways
According to RiskIQ, Magecart has been active at least since 2015 and constantly targets major companies using tried-and-tested skimming tactics. Aside from British Airways, Newegg, and TicketMasterUK, the group successfully targeted Home Depot and Target as well to obtain payment card information of a large number of people.
To avoid detection, hackers from Magecart not only used a domain server located in Romania and one that was part of a VPN provider named Time4VPS based in Lithuania, they also used a paid SSL certificate issued by Comodo rather than a free certificate to appear genuine.