Home News Magecart’s New Evasive Technique Hides Stolen Credit Card Data into Images

Magecart’s New Evasive Technique Hides Stolen Credit Card Data into Images

Magecart attackers have been found encoding stolen credit card information into images to evade security detections

Patchwork BADNEWS, APT31 threat group

Cybercriminal group, Magecart, is infamously known for evolving its attack techniques to evade security detection.  Magecart consists of multiple subgroups that target e-commerce sites to steal users’ credit card data and trade them on the dark web. Usually, in a Magecart attack, also known as web skimming or e-skimming, Magecart attackers inject malicious JavaScript code on the payment gateway of e-commerce stores to harvest payment card data.

Given its constant threat of taking advantage of users’ online behavior, Magecart remains an incredibly serious threat to the industry. Recent research by Sucuri found that Magecart hackers have now come up with an indigenous malicious technique of encoding stolen credit card information into image files and disguising the malware code in comment blocks to hide their activities and escape security detections.

Researchers found malware variants in two image files on the server that hosted a large amount of base64 encoded data. After decoding, the researchers found credit card data like card numbers, expiration dates, CVV numbers, billing addresses, and other payment information in plain text. Attackers also concealed malware in comment chunks by adding additional layers of codes, thereby evading detection. . The tactics, techniques, and procedures (TTPs) used in the current threat activity are similar to the activities used by Magecart Group 7.

“With Magecart malware the files infected need to be involved in the checkout process somehow to work. The attackers can’t just infect any random file; it has to handle payment information somehow. For this reason, we tend to see the same files get infected over and over again,” the researchers said.

Though newer hacking techniques have been introduced, the motive of the Magecart hackers remains the same – to obtain customers’ credit card details from the infected e-commerce site, save them to a fake .CSS style sheet on the server, and download them later by making a GET request.

Distributing Malicious PHP Web Shells

In the recent past, security experts from Malwarebytes found Magecart Group 12 targeting Magento online stores to pilfer customers’ sensitive information. The attackers distributed malicious PHP web shells, known as Smilodon or Megalodon, disguised as favicon, to obtain remote access to the targeted servers. Read More Here