Hackers hide stolen credit card data in JPG file
Bad actors have come up with a new way of concealing credit card data purloined from compromised e-stores, by hiding it n JPG files.
Discovered by researchers at Sucuri while investigating a Magecart attack against an e-store running the e-commerce CMS Magento 2, this new exfiltration method helps cyber criminals avoid detection.
“A recent investigation for a compromised Magento 2 Web site revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file,” the researchers said in a blog post.
The researchers came across a PHP code that was found injected to the file ./vendor/magento/module-customer/Model/Session.php. The criminals employed the getAuthenticates function to load the remainder of the malicious code onto the compromised environment.
The code stored the stolen data in the image file “pub/media/tmp/design/file/default_luma_logo.jpg,” making it easy to hide, access, and download again, without raising the alarm.
The researchers noted that the captured data could be used for a number of illegal activities, including credit card fraud, spam campaigns, and spear-phishing attacks.
They added that malefactors are constantly on the lookout for new ways to obfuscate their activities and the creative use of the fake .JPG enables them to conceal and store harvested credit card details for future use without attracting attention to themselves.
Ilia Kolochenko, founder and CEO of ImmuniWeb, says Magecart attacks are tricky to detect, however, the purpose of hiding credit card data in images files remains largely unclear. If a Web site is equipped with an on-premise or cloud-based WAF/IDS that is capable of detecting anomalies in Web traffic, these systems will almost certainly detect a Web site breach or Magecart infection in a timely manner.
Moreover, excessive or unusual HTTP requests, such as those coming from specific countries or during unusual business hours, to any Web site sections of files including images, will more than likely be detected much like any other anomaly would.
“I don’t think we are dealing with novel data exfiltration techniques but rather with an individual use case that will unlikely be widely used in the future," says Kolochenko. "To minimise the risks of Magecart data breaches and harsh penalties under PCI DSS, CCPA or GDPR, e-commerce Web site owners should implement continuous security monitoring, anomaly detection and a regular security testing by a qualified third party.”