Stolen Credit Card Data Hidden in Images by Magecart Hackers for Vague Exfiltration

 

pexels markus spiske 10894382B252832529
Magecart-affiliated cybercriminals have adopted a new approach for obfuscating malware code within comment blocks and embedding stolen credit card data into pictures and other files stored on the site, illustrating how attackers are always upgrading their infection chains to avoid detection. 
Sucuri Security Analyst, Ben Martin, stated in a write-up, “One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion. These can later be downloaded using a simple GET request at a later date.” 
Magecart is an umbrella name for several gangs of hackers that attack e-commerce websites intending to steal credit card data and sell them on the black market by injecting malicious JavaScript skimmers. 
Sucuri connected the assault to Magecart Group 7 based on similarities in the threat actor’s techniques, methods, and practices (TTPs). The skimmer was located in one of the PHP files involved in the checkout process in the form of a Base64-encoded compressed string in one instance of a Magento e-commerce website infection analyzed by the GoDaddy-owned security business. 
Furthermore, the attackers are claimed to have utilized a method known as concatenation, in which the code was merged with extra comment portions that “does not functionally do anything but adds a layer of obfuscation making it more difficult to detect.” 
The attacks’ ultimate objective is to collect customers’ payment card information in real-time on the hacked website, which is then stored to a fake style sheet file (.CSS) on the server and then downloaded by the threat actor via a GET request. 
Martin added, “Magecart is an ever-growing threat to e-commerce websites. From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn’t they? Literal fortunes are made [by] stealing and selling stolen credit cards on the black market.”

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source