Members of the Magecart hacker group have developed a new technique to obfuscate the malware code within the comment blocks of images. This method also allows criminals to extract sensitive data like credit card details from infected e-commerce websites.
Sucuri Security analyst Ben Martin says Magecart attackers who steal credit card details are “dumping” them into image files in order to avoid detection.
“One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion,” Sucuri Security Analyst, Ben Martin, said in a blog post. “These can later be downloaded using a simple GET request at a later date.”
MageCart is a generic term that refers to groups of cybercriminals who target e-commerce websites and steal credit card numbers.
The Sucuri researcher thinks that the attack was carried out by Magecart Group 7 based on the overlaps in the tactics and techniques used by the threat actor.
An attacker implanted a Base64-encoded skimmer in a PHP file used in the check out process. The actor also added a layer of obfuscation to make it difficult to detect with the help of a technique called code concatenation.
“After our initial sweep for malware we noticed that there were two image files on the server that continued to be populated with chunks of base64 encoded data. When decoded to plain text they were clearly credit card and cvv numbers, billing addresses, expiration dates and a lot more.”
The goal of these attacks is to intercept a shopper’s card details in real-time, and then save them into a bogus style sheet on the server. The attacker can later download this data by making a GET request.
“MageCart is an ever growing threat to e-commerce websites,” Martin said. “From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn’t they? Literal fortunes are made [by] stealing and selling stolen credit cards on the black market.”
MageCart is a threat that can easily expose sensitive information about your website.
“As more and more commerce is conducted online we can only expect the attacks on websites to escalate and more players enter the already-crowded field of MageCart,” the researcher warns.