Cybercriminals Use Hidden Code in Images to Steal Credit Cards
💡 Key Takeaways
- Web crawlers and scanners mostly concentrate on HTML and JavaScript files and often ignore media files like images.
- Threat actors are using WebSockets to create a more covert way to exchange stolen data compared to standard HTTP requests.
Steganography, the practice of hiding malicious data within legitimate-looking files, has long been a tool for malware authors. Now, cybercriminals are actively using it to spread credit card skimmers.
What is the matter?
According to a report from Malwarebytes Lab, a new steganography-based credit card skimmer has been spotted that targets online retail shops.
To the naked eye, the malicious file looks like a typical "free shipping" ribbon commonly seen on e-commerce sites. However, a closer look reveals that JavaScript code has been appended to the image file.
Researchers further noted that, “All compromised sites we found using a steganographic skimmer were injected with similar code snippets…to load the fake image and parse its JavaScript content via the slice() method.”
An Interesting Twist
It was also noted that threat actors are particularly using WebSockets to provide a more covert way to provide a more covert way to exchange data than typical HTTP-request-responses.
“The attackers do need to load a new WebSocket and that can be detected in the DOM. However, they were clever to obfuscate the code nicely enough that it completely blends in,” researchers explain.
The goal is to conceal a connection to a server controlled by the criminals over a WebSocket. When the malicious JavaScript code runs, it triggers a handshake request. Once established, a series of bidirectional messages are exchanged, which includes the credit card skimming code.
