Cybercriminals Adopt Steganography-based Credit Card Skimmer to Steal Payment Card Details

credit, card, bill, payment, mobile, online, internet, transaction, tablet, bank, phone, business, computer, money, device, customer, finance, banking

  • The web crawlers and scanners mostly concentrate on HTML and JavaScript files and often ignore media files.
  • Threat actors are particularly using WebSockets to provide a more covert way to exchange data than typical HTTP request-responses.

Steganography has long been used by malware authors to hide malicious data within legitimate-looking images and currently, it is being used by cybercriminals to spread credit card skimmers.

What is the matter?

According to a report from Malwarebytes Lab, a new steganography-based credit card skimmer has been spotted that targets online retail shops.

To the naked eyes, the image looks like a typical free shipping ribbon that is commonly seen on shopping sites. However, a close look at the image reveals JavaScript code has been appended immediately after the end of the file marker.

Researchers further noted that “All compromised sites we found using a steganographic skimmer were injected with similar code snippets (typically after the footer element or Google Tag Manager) to load the fake image and parse its JavaScript content via the slice() method.”

The web crawlers and scanners mostly concentrate on HTML and JavaScript files and often ignore media files.

An interesting twist

It is also noted that threat actors are particularly using WebSockets to provide a more covert way to exchange data than typical HTTP request-responses.

“The attackers do need to load a new WebSocket and that can be detected in the DOM. However, they were clever to obfuscate the code nicely enough that it completely blends in,” researchers explain.

The goal is to conceal a connection to a server controlled by the criminals over a WebSocket. A handshake is enough to steal data

When the malicious JavaScript code runs in the browser, it triggers a client handshake request. Once this is established, a series of bidirectional messages are exchanged between the victim’s browser and malicious host. These messages also include the credit card skimming code.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s