Hackers planting data-capturing malware on websites face a problem of safely exfiltrating information, but according to security vendor Surcuri, one gang has found a new way: Embed the data in a .JPG file.
The company made the discovery while investigating a compromised Magento 2 e-commerce website. A malicious injection on the checkout page was capturing POST request data from site visitors and saving it to a JPG file. This likely slips under the radar because websites have many images and a JPG being downloaded wouldn’t be seen as suspicious by infosec pros.
Here’s how it works: PHP code is injected into the Magento file ./vendor/magento/module-customer/Model/Session.php.
Then a getAuthenticates function is created and called. The code also creates the image file, which it uses to store any captured data. “This feature allows the attacker to easily access and download the stolen information at their convenience while concealing it within a seemingly benign .jpg,” Sucuri noted.
To successfully capture the POST data, the blog notes, the PHP code uses the Magento code framework. It relies on the Magento function getPostValue to capture the checkout page data within the Customer_ POST parameter.
Nearly all information submitted by a shopper on the checkout page is stored including full names and addresses, payment card details, telephone numbers, and user agent details.
“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites,” Sucuri noted in a blog. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”
While this approach may make the infection difficult to initially spot, retailers that scan their websites for malware and suspicious activity or use code integrity control checks will have a much easier time detecting changes or additional new files in their environment, says Sucuri.