Crooks hide e-skimmer code in favicon EXIF Metadata

Pierluigi Paganini June 26, 2020

Malwarebytes experts observed crooks hiding a software skimmer in the EXIF metadata of an image that was surreptitiously loaded by compromised online stores.

While investigating a Magecart attack, experts found an e-skimmer code hidden in the EXIF metadata of an image file and surreptitiously loaded by compromised online stores.

The malicious script detected by the researchers was loaded from an e-store running the WooCommerce plugin for WordPress.

The scripts allow threat actors to steal credit card data and other sensitive information that users enter on compromised e-commerce websites, then to send the collected info to the attackers.

The attack stands out because attackers use images to exfiltrate stolen credit card data.

Experts noticed that the script would load a favicon file that is identical to the one used by the compromised website. The attackers loaded the e-skimmer from the ‘Copyright’ field in the metadata of this image.

The initial JavaScript loads the skimming code included in the EXIF metadata of the favicon.ico using an <img> tag, and specifically via the onerror event.

The e-skimmer is able to capture the content of the input fields provided by the users while purchasing goods. including name, billing address, and credit card details. The data grabbed by the skimmer are encoded using Base64 and then reverses that string before sending the information to an external server as an image file, via a POST request.

While investigating the incident, the researchers discovered a copy of the skimmer toolkit’s source code in an open directory of a compromised site. The toolkit allows the attackers to craft a favicon.ico file with the e-skimmer code injected in the Copyright field.

“Based on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier version of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in the more recent case we found, but the same core features, such as loading JavaScript via the Copyright field (metadata of an image file), exist.” concludes the analysis. “Finally, this skimmer may have ties with Magecart Group 9.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment