Researchers at website security company Sucuri report a sneaky method to steal payment card data from compromised online stores.
Hackers have come up with a way to siphon the data without raising suspicions and evading detection. They do not try to send the card info which would likely result in detection. Instead, the hackers hide it in a JPG image and store it on the compromised website.
Sucuri researchers have been investigating an online shop running Magento version 2 which was compromised in a series of incidents known as Magecart attacks that have started years ago. In these attacks, cybercriminals gain access to a store and plant malicious code that steals customer card data at checkout.
The malware captured the information from the checkout page delivered through the Customer_ parameter. The data submitted on the checkout page and present in the Customer_ parameter includes payment card details, phone number, and postal address. If the customer was logged in, the code also stole the email address.
But unlike in other attacks, this time Sucuri found a PHP file that loads additional malicious code by creating and calling the getAuthenticates function, Sucuri said in a blog post.
The code above also creates a JPG image that malware uses to store encoded payment card information.
Attackers can download the JPG file without triggering any alarms, as it looks like a regular download process initiated by the user.
The stolen card information can be used for credit card fraud or to deploy more targeted phishing or spam campaigns.
Sucuri says that website owners will likely miss this intrusion when checking for an infection, as the method is very stealthy. But they say integrity control checks and website monitoring tools should be able to detect code things like modifications and new files added.