Sanguine Security analysts discovered that hackers are using steganography and hiding MageCart skimmers in buttons designed to post content to social media.
Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bank card data. Surprisingly, this approach turned out to be so successful that the group soon had numerous imitators, the name MageCart became a household name, and now it is assigned to all the class of such attacks.
Steganography means hiding information within another format (for example, text within images, images within videos, and so on).
Operators of web skimmers also did not stay away from this trend and hid their malicious code in website logos, product images or in the favicon of the infected resources.
Now, Sanguine Security experts write that SVG files, rather than PNG or JPG files, are used in new attacks to hide malicious code. Most likely, this is due to the fact that recently, protective solutions have become better at detecting skimmers in ordinary pictures.
In theory, it should be easier to detect malicious code in vector images. However, the researchers write that attackers are smart and designed their payload with these nuances in mind.
According to experts, hackers tested this technique back in June, and it was discovered on active e-commerce sites in September, with malicious payloads hidden inside buttons designed to publish content on social networks (Google, Facebook, Twitter, Instagram, YouTube, Pinterest etc).
In infected stores, as soon as users navigated to the checkout page, a secondary component (called a decoder) reads the malicious code hidden inside social media icons and then downloaded a keylogger that would capture and steal bank card information from the checkout form.
What could be next, I told, for example, in a note: Magecart groupings extract stolen cards data via the Telegram.