Hackers are hiding credit card skimmers in online images

Shawn Knight

Posts: 12,316   +120
Staff member
The big picture: Security researchers with Malwarebytes recently unmasked a clever tactic being used by hackers to steal credit card data from an online store created with WordPress, a popular content management system. Using images for nefarious purposes is not new although Malwarebytes said this is the first time they’ve seen a credit card skimmer used in this sort of attack.

At the onset of its investigation, Malwarebytes’ threat analysis team thought it might be another case of a credit card skimmer masquerading as a favicon but further digging uncovered something entirely different.

Rather than hiding malicious code used to steal credit card information in a website’s favicon, the hackers had embedded it within the metadata of an image file which then gets covertly loaded by a compromised online store.

EXIF, short for Exchangeable Image File Format, is metadata that is often associated with a digital image. It is used to convey useful information about a photo, such as the camera settings and hardware that was used to create it.

In this instance, researchers found that hackers were using the copyright metadata field to load JavaScript. Once activated, the skimmer grabs data from the input fields of an online store where shoppers key in their name, billing address and payment card details.

In an interesting twist, the collected data is then loaded back into an image file for the hacker to collect. This and other steps are likely performed to reduce the chances of the attack raising suspicion.

Permalink to story.

 

Squid Surprise

Posts: 3,152   +2,057
It's still needed. Some JavaScript obfuscation use it.
It's executing command in picture file that is unacceptable.
Picture should be simply picture.
No it isn't... there are plenty of other ways to do the same thing - window.function() for instance - that don't elevate privileges unnecessarily...

Read

for more info...
 

Eldritch

Posts: 209   +233
It is surprising but still at par. Anyone who has had experience with wordpress will tell you that the tradeoff for easy design is security.

Most wordpress sites use several plugins and they don't know fully how their own site operates. Heck, even several plugin developers are not fully aware how their own plugin works and copy/paste/steal of code is rampant. Trust me, wordpress sites leak like a sieve.

We hear so many news about android security problems but wordpress sites and plugins mostly get a free pass somehow.
 

Jerry in WA

Posts: 73   +62
Does anyone know of any examples of sites that use wordpress? Or how you would know you were on one of those sites?

I presume most of our well known, massive websites, are not the issue here. But if you shop through, say, google, for low prices, some pretty odd stuff pops up. Dark corners of the internet that I would be quite leery in sharing my credit card information.
 

Eldritch

Posts: 209   +233
Does anyone know of any examples of sites that use wordpress? Or how you would know you were on one of those sites?

I presume most of our well known, massive websites, are not the issue here. But if you shop through, say, google, for low prices, some pretty odd stuff pops up. Dark corners of the internet that I would be quite leery in sharing my credit card information.
Try using isitwp.com to detect wordpress and yes, always (whether WP or not) use an alternate bank account with low balance for online shopping.
 

TheFootPerson

Posts: 9   +4
Try using isitwp.com to detect wordpress and yes, always (whether WP or not) use an alternate bank account with low balance for online shopping.
Wouldn't using PayPal be a safer alternative, as supposed to making a other bank account? These sites in question I understand would still have our name and such.
 

jobeard

Posts: 13,868   +1,756
Anyone who has had experience with wordpress will tell you that the tradeoff for easy design is security.
also WP has massive performance impact by including far too many library files which few WP users are even aware of. I complained to one developer who insisted that he only included three files (but he didn't see or care about the 20 some nested includes). CAVEAT EMPTOR
 
  • Like
Reactions: Eldritch