Hackers Use Steganography to Steal Credit Card Data from Compromised Stores
The attackers use Magecart malware to hide credit card data inside JPG files.
More and more attackers are shifting their attention towards online e-commerce platforms, where they found fertile ground for exfiltrating payment card data which they later sell on hacking forums.
These incidents are called Magecart and although they date back to 2016, cybersecurity researchers from US-based web security firm Sucuri discovered a new exfiltration technique when investigating a compromised online store running version 2 of the open-source Magento e-commerce platform. Hackers who gain access to an online store through a vulnerability or weakness install malicious code meant to steal customer card details at checkout.
The process is called steganography and it involves hiding malicious code inside an image or a music file’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file. However, it was recently revealed that threat actor ObliqueRAT infiltrates into victims’ endpoints through steganography.
Sucuri researchers revealed that they encountered a Magento store that had been compromised by attackers, who altered a core CMS file, Cc.php, responsible for handling credit card data. The hackers added extra code to the file, recording the payment card details users entered in the checkout form and saving it at the end of a local image.
What was odd about this case was that hackers were somehow able to fill up a large number of payment card details inside the image without altering its content. Usually, when attackers use steganography, they choose to modify simplistic images to avoid corrupting the data. However, this time they altered a high-resolution file, which normally would have been very easy to mess up.
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
What is interesting about these attacks is the fact that the image was related to the products sold on the victim’s website. Website owners wouldn’t have seen the difference if they came across this image and opened it to assure it worked. Had they inspected the site’s logs for suspicious activity, they would have seen “another” site visitor download “another” image, which for some stores happens multiple times every hour.
In this situation, all the hacker had to do was to access this image, download it, and exfiltrate the data found at the end of the JPG’s source code without raising website owners’ suspicions.
Security checks and website monitoring services are strongly recommended, as they are able to detect changes such as code modifications or new files being added.