As the holiday season approaches, people need to be even more vigilant during online shopping. That too, while sharing their purchases with their friends on social media. Researchers have found a new malware campaign that hides Magecart skimmers behind legit-looking social media buttons.
Magecart Skimmers Exploiting Social Media Buttons
Dutch cybersecurity firm Sansec has recently caught a card skimmer campaign in the wild. As elaborated in their blog post, the new campaign hides Magecart skimmers behind social media buttons to evade detection.
The attack strategy basically makes use of steganography – a technique involving the concealment of information inside images. In the case of cyber attacks, the threat actors hide malicious codes behind seemingly harmless images to trick users.
Sansec team noticed the use of steganography by the threat actors to hide Magecart skimmers behind images impersonating social media icons. As observed, the first part of the attack involves specific SVG files that include malicious payload.
The malicious payload assumes the form of an html <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element. To complete the illusion of the image being benign, the malware’s creator has named it after a trusted social media company.
Whereas, the second part of the attack involves a decoder that executes the payload.
The trickiest feature of this attack strategy is that the attackers can place the two components in different places on a website. Hence, it becomes difficult to detect the two components and know the presence of skimmers. Even upon detecting the strange SVG formats, it’ll be difficult to figure out its purpose.
The researchers first noticed similar malware in June 2020. However, the attack maintained a low-profile infecting only 1 with functional malware (both components) out of the 9 detected websites.
Hence, they suspect the initial campaign to be a test case leading to a functional campaign that began in September 2020.
Since the malware is already in the wild, all users must ensure employing safety tips while shopping online.