Magecart Attackers Find New Ways to Remain Hidden
Researchers from Sucuri have discovered a new way that Magecart attackers are using to hide their online activity by saving data they’ve skimmed from credit cards online in a .JPG file on a website they’ve injected with malicious code.
Sucuri researchers discovered this new tactic during an investigation into a compromised website using the open-source e-commerce platform, Magento 2. Upon further investigation they found that a malicious injection was capturing POST request data from site visitors. The injection was found to be on the checkout page and would encode captured data before saving it to a .JPG file.
Specifically, Sucuri found that attackers injected PHP code into a file called ./vendor/magento/module-customer/Model/Session.php, then used the “getAuthenticates” function to load malicious code, researchers said. The code also created a .JPG file, which attackers used to store any data they captured from the compromised site.
The latest campaign also leveraged the Magento code framework to do its dirty work of harvesting the data captured and hidden in the .JPG file, Leal explained. The malicious PHP code relied on the Magento function “getPostValue“ to capture the checkout page data within the “Customer_ POST parameter.”
It also used the Magento function “isLoggedIn” to check whether a victim is logged into the site as a user and, if this was the case, attackers also lift the user’s email address from the transaction.
Once attackers get their hand on customer payment data, they can then go on to use it for various criminal activities, such as credit-card fraud or targeted e-mail-based spam or phishing campaigns.
Further Reading: