The new tactic allows you to hide skimmers from security scanners checking for valid syntax.
Researchers at the Dutch company Sansec have discovered skimming malware to steal payment data, which cybercriminals hide in the most prominent place - in the icons of popular social networks.
According to the researchers, attackers hide the payload in Share buttons disguised as Facebook, Twitter and Instagram. Skimming software is JavaScript code that Magecart groups inject into forms for ordering from compromised e-commerce sites. After being uploaded to a compromised site, the script automatically steals payment and personal information entered by users and transfers it to servers controlled by the attackers.
The payment data mining malware uses a double payload structure - the source code of the skimmer script is hidden in a social media share icon loaded as an HTML svg element with a path element as a container.
The syntax for disguising the skimmer source code as a social media button ideally mimics the svg element named using social media names (e.g. facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full). A separate decoder deployed on the server of the e-commerce site is used to extract and execute the code.
This tactic increases the chances of cybercriminals evading detection. Even if one of the two components of the malware is identified, its true purpose may elude a cursory analysis, since the bootloader will not necessarily be stored in the same location as the payload.
This is not the first time that attackers have used skimmers hidden by steganography. However, it is the first time that malware lurks in a "perfectly valid image," the researchers note.
“As a result, security scanners can no longer find malware simply by checking for valid syntax,” Sansec explained.
__________________
Researchers at the Dutch company Sansec have discovered skimming malware to steal payment data, which cybercriminals hide in the most prominent place - in the icons of popular social networks.
According to the researchers, attackers hide the payload in Share buttons disguised as Facebook, Twitter and Instagram. Skimming software is JavaScript code that Magecart groups inject into forms for ordering from compromised e-commerce sites. After being uploaded to a compromised site, the script automatically steals payment and personal information entered by users and transfers it to servers controlled by the attackers.
The payment data mining malware uses a double payload structure - the source code of the skimmer script is hidden in a social media share icon loaded as an HTML svg element with a path element as a container.
The syntax for disguising the skimmer source code as a social media button ideally mimics the svg element named using social media names (e.g. facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full). A separate decoder deployed on the server of the e-commerce site is used to extract and execute the code.
This tactic increases the chances of cybercriminals evading detection. Even if one of the two components of the malware is identified, its true purpose may elude a cursory analysis, since the bootloader will not necessarily be stored in the same location as the payload.
This is not the first time that attackers have used skimmers hidden by steganography. However, it is the first time that malware lurks in a "perfectly valid image," the researchers note.
“As a result, security scanners can no longer find malware simply by checking for valid syntax,” Sansec explained.
__________________