Hackers are hiding credit card skimmers in online images

Shawn Knight

Shawn Knight

Posts: 15,287   +192
Staff member
The big picture: Security researchers with Malwarebytes recently unmasked a clever tactic being used by hackers to steal credit card data from an online store created with WordPress, a popular content management system. Using images for nefarious purposes is not new although Malwarebytes said this is the first time they’ve seen a credit card skimmer used in this sort of attack.

At the onset of its investigation, Malwarebytes’ threat analysis team thought it might be another case of a credit card skimmer masquerading as a favicon but further digging uncovered something entirely different.

Rather than hiding malicious code used to steal credit card information in a website’s favicon, the hackers had embedded it within the metadata of an image file which then gets covertly loaded by a compromised online store.

EXIF, short for Exchangeable Image File Format, is metadata that is often associated with a digital image. It is used to convey useful information about a photo, such as the camera settings and hardware that was used to create it.

In this instance, researchers found that hackers were using the copyright metadata field to load JavaScript. Once activated, the skimmer grabs data from the input fields of an online store where shoppers key in their name, billing address and payment card details.

In an interesting twist, the collected data is then loaded back into an image file for the hacker to collect. This and other steps are likely performed to reduce the chances of the attack raising suspicion.

Permalink to story.

https://www.techspot.com/news/85794-hackers-hiding-credit-card-skimmers-online-images.html

 
zamroni111 said:
It's still needed. Some JavaScript obfuscation use it.
It's executing command in picture file that is unacceptable.
Picture should be simply picture.
Click to expand...
No it isn't... there are plenty of other ways to do the same thing - window.function() for instance - that don't elevate privileges unnecessarily...

Read
developer.mozilla.org

eval() - JavaScript | MDN

The eval() function evaluates JavaScript code represented as a string and returns its completion value. The source is parsed as a script.
developer.mozilla.org developer.mozilla.org

for more info...
 
It is surprising but still at par. Anyone who has had experience with wordpress will tell you that the tradeoff for easy design is security.

Most wordpress sites use several plugins and they don't know fully how their own site operates. Heck, even several plugin developers are not fully aware how their own plugin works and copy/paste/steal of code is rampant. Trust me, wordpress sites leak like a sieve.

We hear so many news about android security problems but wordpress sites and plugins mostly get a free pass somehow.
 
  • Like
Reactions: Jerry in WA and Freddie159
Does anyone know of any examples of sites that use wordpress? Or how you would know you were on one of those sites?

I presume most of our well known, massive websites, are not the issue here. But if you shop through, say, google, for low prices, some pretty odd stuff pops up. Dark corners of the internet that I would be quite leery in sharing my credit card information.
 
Jerry in WA said:
Does anyone know of any examples of sites that use wordpress? Or how you would know you were on one of those sites?

I presume most of our well known, massive websites, are not the issue here. But if you shop through, say, google, for low prices, some pretty odd stuff pops up. Dark corners of the internet that I would be quite leery in sharing my credit card information.
Click to expand...
Try using isitwp.com to detect wordpress and yes, always (whether WP or not) use an alternate bank account with low balance for online shopping.
 
Eldritch said:
Try using isitwp.com to detect wordpress and yes, always (whether WP or not) use an alternate bank account with low balance for online shopping.
Click to expand...
Wouldn't using PayPal be a safer alternative, as supposed to making a other bank account? These sites in question I understand would still have our name and such.
 
Eldritch said:
Anyone who has had experience with wordpress will tell you that the tradeoff for easy design is security.
Click to expand...
also WP has massive performance impact by including far too many library files which few WP users are even aware of. I complained to one developer who insisted that he only included three files (but he didn't see or care about the 20 some nested includes). CAVEAT EMPTOR
 
  • Like
Reactions: Eldritch
You must log in or register to reply here.

Similar threads

Daniel Sims
Google's new AI tool can turn images into playable mini-games
Replies
2
Views
180
VaRmeNsI
V
midian182
FCC aims to outlaw AI voices in robocalls after fake Biden message
Replies
14
Views
343
Endymio
Endymio
midian182
Ring subscription price hike: Basic plan jumps to $5 a month, no extra features
Replies
6
Views
231
Axeia
Axeia

Latest posts

Back