Threat actor uses JPG files for exfiltrating credit card data

Hackers planting data-capturing malware on websites face a problem of safely exfiltrating information, but according to security vendor Surcuri, one gang has found a new way: Embed the data in a .JPG file.

The company made the discovery while investigating a compromised Magento 2 e-commerce website. A malicious injection on the checkout page was capturing POST request data from site visitors and saving it to a JPG file. This likely slips under the radar because websites have many images and a JPG being downloaded wouldn’t be seen as suspicious by infosec pros.

Here’s how it works: PHP code is injected into the Magento file ./vendor/magento/module-customer/Model/Session.php.

Then a getAuthenticates function is created and called. The code also creates the image file, which it uses to store any captured data. “This feature allows the attacker to easily access and download the stolen information at their convenience while concealing it within a seemingly benign .jpg,” Sucuri noted.

To successfully capture the POST data, the blog notes, the PHP code uses the Magento code framework. It relies on the Magento function getPostValue to capture the checkout page data within the Customer_ POST parameter.

Nearly all information submitted by a shopper on the checkout page is stored including full names and addresses, payment card details, telephone numbers, and user agent details.

“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites,” Sucuri noted in a blog. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”

While this approach may make the infection difficult to initially spot, retailers that scan their websites for malware and suspicious activity or use code integrity control checks will have a much easier time detecting changes or additional new files in their environment, says Sucuri.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now