Web Skimmer

We all know that there are many ingenious methods to steal money online, and here one of the most sought-after means and objects by hackers is the online credit cards. Recently, the security firm Malwarebytes has discovered a malicious campaign in which cybercriminals introduced a skimming code into the favicon’s EXIF ​​metadata (favicon) and secretly downloaded it from the pages of compromised online portals.

In an unnamed compromised site, the security researchers found a copy of the source code of the skimmer and noticed that the usual “favicon.ico” file contains an embedded script inside the Copyright field.


Hidden Skimmer in EXIF Metadata

Security experts have explained that the web-skimmer was found in the EXIF ​​metadata of the file, which was downloaded by compromised online stores along with the WooCommerce plugin for WordPress. As the malicious code for downloading a dangerous image was added to a legitimate script on store sites.

The experts tracked the malicious activity to the cddn[.]site, from which the malicious favicon was downloaded. Cybercriminals used these favicons identical to those in compromised stores, and the web-skimmer was loaded from the Copyright field in the image metadata using the <img> tag.

What distinguishes this attack from other known attacks is that the script was not injected directly into the web code, but into the EXIF metadata of a web favicon.

Once the malicious javascript was executed in a user’s browser, any credit card information entered in the purchase process was directly sent back to the attackers to do whatever they wanted to do with it. The hacker’s group that has been associated with this attack is known as “Magecart Group 9.”

Data Involved

During these events, the hackers steal the following data of the users from their compromised credit cards:-

  • Card number
  • Card expiration date
  • Cardholder name
  • Billing address

The skimmer encoded the stolen information in Base64, expand the string, and transmit the data as an image file to a remote server controlled by the hackers using a POST request.

Right now, it is unclear whether the attackers use these stolen cards directly to make purchases or sell them on the Deep Web. Apart from this, this attack has another dangerous point, here, the favicon was hosted on an external domain, and that’s why the security summary of the compromised website will not produce any alerts.

The security expert, @AffableKraut suggests that the skimmer can be associated with the cybercriminal group Magecart Group 9. While the domain magentorates[.]com using this EXIF ​​metadata skimming technique has the same Bulgarian hosting provider and also registered with the same registrar for weeks after magerates[.]com, previously associated with Magecart Group 9.

Apart from this, it is not the first time that a malicious shopping-related WordPress plugin has been attacked by the attackers. Here, we strongly recommend you to check your security to find any loophole or any strange behavior from this plugin, since this plugin is popular, it’s prone to these type of attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.