Hackers hide software skimmer in social media sharing icons

Security researchers have uncovered a new technique to inject a software skimmer onto checkout pages, the malware hides in social media buttons.

Security experts at Sansec have detailed a new technique used by crooks to inject a software skimmer into checkout pages. E-skimming took place when hackers compromise an e-commerce site and plant a malicious code designed to siphon payment card data or personally identifiable information (PII).

E-skimming attacks were initially observed in the wild in 2016, their number rapidly increased since then. In the last years, numerous attacks involving software skimmers were carried out by threat actors under the Magecart umbrella.

The attacks used various techniques across the time to carry out an e-skimming attack, such as exploiting flaws in the e-commerce platform (i.e. Magento, OpenCart). In other attacks, hackers have compromised plugins used by e-commerce platforms in a classic supply chain attack. Threat actors also injected software skimmers inside a company’s cloud hosting account that was poorly protected.

Another attack scenario sees hackers targeting the administrators of the platform with social engineering attacks in an attempt to obtain his credentials and use them to plant the malicious code in the e-store.

Hacker groups under the Magecart umbrella focus in the theft of payment card data with software skimmers.

Sansec researchers were the first that discovered the new malware. The malicious code has two components, a concealed payload and a decoder used to decode the software skimmer and executes the concealed code.

The malicious payload is concealed as social media buttons that mimic social sharing icons such as Facebook, Twitter, and Instagram. This is the first time that payload has been constructed as a perfectly valid image that is not detectable by security scanners that only performs syntax checks.

Attackers concealed the software skimmer in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container and named using social media platform names (e.g., google_full, facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full).

Attackers make these attacks hard to detect also by separating the decoder from the concealed payload.

“It is worth noting that the decoder does not have to be injected in the same location as the payload. This adds to it’s concealment, as finding only one of the parts, one might not deduce the true purpose of a slightly strangely formatted svg.” reads the analysis published by the Sansec experts.

“An attacker can of course conceal any payload with this technique. Samples taken by Sansec revealed payment skimming as the true purpose of the malware injections.”

In June, experts detected a similar malware using this innovative loading technique. The malicious code was not as sophisticated, experts detected it only on 9 sites on a single day. Some of the software skimmers were only working partially, likely because the attackers deployed them as test runs.

“Of these 9 infected sites, only 1 had functional malware. The 8 remaining sites all missed one of the two components, rendering the malware useless.” concludes the experts.

“After the discovery of this new and more sophisticated malware, the question arises if the June injections could have been the creator running a test to see how well their new creation would fare. This new malware was first found on live sites in mid-September.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]