Continuing with their invasive strategies, the e-commerce predator Magecart has developed another malicious feature. As observed, the latest Magecart skimmer evades detection by hiding stolen data in JPG image files.
Magecart Hiding Stolen Data In JPG Files
Researchers from Sucuri have observed new Magecart skimmer that has adopted a new evasive strategy. As elaborated in their post, they found Magecart skimmer active on Magento 2 websites hiding stolen data in JPG files. The researchers noticed the malicious code injected into the checkout page where it captured POST request data from the customers. The same code also created .jpg files to which it then stored the stolen information. The… PHP code was found injected to the file ./vendor/magento/module-customer/Model/Session.php.
To load the rest of the malicious code onto the compromised environment, the getAuthenticates function is created and called. The code also creates the image file (pub/media/tmp/design/file/default_luma_logo.jpg), which it uses to store any captured data. In this way, the malware strived to stay under the radar. Whereas, it also gave the attackers the convenience of downloading the stolen information whenever feasible. As for the target details, the malware steals almost every detail that a user provides on the checkout page. This includes customers’ names, complete addresses, payment card details, phone numbers, and user agent details.
Any Mitigations?
The recent Magecart attack strategy looks pretty sneaky and different to grab attention. Given that it’s active in the wild, website owners, particularly, the owners of online stores, need to remain vigilant for website security. Otherwise, the existence of such skimmers on their sites will not only harm their customers but will also ruin the store’s reputation. Despite being sneaky, it isn’t entirely impossible to spot though. According to the researchers, the site owners should employ integrity control checks and website monitoring services to detect malicious changes.
Attribution link: https://latesthackingnews.com/2021/03/22/magecart-skimmer-attacks-sites-whilst-hiding-stolen-data-in-jpg-files/