We all know that there are many ingenious methods to steal money online, and here one of the most sought-after means and objects by hackers is the online credit cards. Recently, the security firm Malwarebytes has discovered a malicious campaign in which cybercriminals introduced a skimming code into the favicon’s EXIF metadata (favicon) and secretly downloaded it from the pages of compromised online portals.
In an unnamed compromised site, the security researchers found a copy of the source code of the skimmer and noticed that the usual “favicon.ico” file contains an embedded script inside the Copyright field.
Hidden Skimmer in EXIF Metadata
Security experts have explained that the web-skimmer was found in the EXIF metadata of the file, which was downloaded by compromised online stores along with the WooCommerce plugin for WordPress. As the malicious code for downloading a dangerous image was added to a legitimate script on store sites.
The experts tracked the malicious activity to the cddn[.]site, from which the malicious favicon was downloaded. Cybercriminals used these favicons identical to those in compromised stores, and the web-skimmer was loaded from the Copyright field in the image metadata using the <img> tag.
What distinguishes this attack from other known attacks is that the script was not injected directly into the web code, but into the EXIF metadata of a web favicon.
During these events, the hackers steal the following data of the users from their compromised credit cards:-
- Card number
- Card expiration date
- Cardholder name
- Billing address
The skimmer encoded the stolen information in Base64, expand the string, and transmit the data as an image file to a remote server controlled by the hackers using a POST request.
Right now, it is unclear whether the attackers use these stolen cards directly to make purchases or sell them on the Deep Web. Apart from this, this attack has another dangerous point, here, the favicon was hosted on an external domain, and that’s why the security summary of the compromised website will not produce any alerts.
The security expert, @AffableKraut suggests that the skimmer can be associated with the cybercriminal group Magecart Group 9. While the domain magentorates[.]com using this EXIF metadata skimming technique has the same Bulgarian hosting provider and also registered with the same registrar for weeks after magerates[.]com, previously associated with Magecart Group 9.
Apart from this, it is not the first time that a malicious shopping-related WordPress plugin has been attacked by the attackers. Here, we strongly recommend you to check your security to find any loophole or any strange behavior from this plugin, since this plugin is popular, it’s prone to these type of attacks.