Hackers hide stolen payment-card data inside website product images
Attacks that compromise online shops to skim payment card details are increasing and growing in sophistication. The latest technique involves hiding malicious code and stolen data inside legitimate files.
A Dutch researcher reported last week that almost 6,000 online shops, most of them built with the Magento content management system, have malicious code that intercepts and steals payment card data during online transactions. The online storefront of the U.S. National Republican Senatorial Committee (NRSC) was among those websites until earlier this month.
His research also showed that in many cases these compromises go undetected for up to a year. This has to do with the poor understanding of the problem by webmasters who believe that if their sites use HTTPS or a third-party payment processor the customer data is safe. Another factor is hackers’ efforts to hide their trails.
Researchers from web security firm Sucuri recently investigated an online shop compromise that wasn’t detected by automated scans. On manual investigation, they noticed that one of the site’s core files, called Cc.php, had recently been modified.
When analyzing the file, they found malicious code designed to steal payment card data and store it inside an image file. This technique of hiding data inside files with unsuspicious extensions, such as image files, is not new and is intended to avoid detection.
While these files masquerade as images, they are not typically functional, but this wasn’t the case in the Magento hack investigated by Sucuri. The file in which the stolen payment card details were stored was actually a legitimate image depicting one of the products sold on the website.
The stolen data was appended at the end, after the image data, keeping the original image intact and viewable in a browser. This method is known as steganography and is even harder to detect than some other ways of hiding data.
“To obtain the stolen numbers, the attacker would not even have to maintain access to the site,” Sucuri researcher Ben Martin said in a blog post. “The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.”
Sucuri found the same online card swiper infection on other websites, most of them from the U.S., but also from countries like Japan, Turkey, and Saudi Arabia. This means these attacks don’t focus on a single country or region.
Companies who run their own online shops should monitor the integrity of their websites and investigate any suspicious modifications of existing files. Unlike other website hacks, these online skimming attacks don’t generate any errors or messages that users can report back to the website owner. They simply work silently in the background.