Security experts from Sucuri and RiskIQ have spotted an interesting exfiltration technique adopted by crooks to exfiltrate payment data from compromised e-commerce websites powered by the Magento platform.
Cybercriminals have been using image files to store and exfiltrate payment card data stolen from the target website. This last wave of attacks targeted over 100 online shops running on Magento, Powerfront CMS and OpenCart e-commerce platforms
Typically attackers use card-swiping malware that steals credit card data from the Magento shot and exfiltrates it via email or storing information in a file that is later accessed by hackers.
Experts noticed an interesting attack on Magento shops in which cybercriminals have used a malicious PHP file that dumps stolen data into an image file.
Similar exfiltration techniques are common, anyway, the attackers usually don’t use files containing real images send out the information.
“This is not out of the ordinary. It is actually characteristic of a lot of the credit card swipers we have seen lately.” reads a blog post published by Sucuri.
“Attackers use image files as an obfuscation technique to hide stolen details from the website owner. The image file usually doesn’t contain a real image, however, no one really suspects an image file to contain malware. This gives the attacker a secret place to store data. If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack.”
In this specific case, the imaged used to store the payment card data are real and are related to the products offered for sale on the compromised website. This technique allows attackers to remain under the radar and avoid raising any suspicion.
The stolen data is appended at the end of the image file in clear text, and the file is publicly accessible. According to Sucuri, the majority of stolen card data came from the United States, but the files include also data related to victims from Japan, Turkey, Saudi Arabia and Canada.
“To obtain the stolen numbers the attacker would not even have to maintain access to the site. The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.” continues the post.
Sucuri invites owners of websites powered by Magento to keep their CMS up to date and apply all the latest patches.
It also invites administrators of the websites to use a complex password.
[adrotate banner=”9″]
(Security Affairs – Magento, hacking)