Threat actor uses JPG files for exfiltrating credit card data

Hackers planting data-capturing malware on websites face a problem of safely exfiltrating information, but according to security vendor Surcuri, one gang has found a new way: Embed the data in a .JPG file.

The company made the discovery while investigating a compromised Magento 2 e-commerce website. A malicious injection on the checkout page was capturing POST request data from site visitors and saving it to a JPG file. This likely slips under the radar because websites have many images and a JPG being downloaded wouldn’t be seen as suspicious by infosec pros.

Here’s how it works: PHP code is injected into the Magento file ./vendor/magento/module-customer/Model/Session.php.

Then a getAuthenticates function is created and called. The code also creates the image file, which it uses to store any captured data. “This feature allows the attacker to easily access and download the stolen information at their convenience while concealing it within a seemingly benign .jpg,” Sucuri noted.

To successfully capture the POST data, the blog notes, the PHP code uses the Magento code framework. It relies on the Magento function getPostValue to capture the checkout page data within the Customer_ POST parameter.

Nearly all information submitted by a shopper on the checkout page is stored including full names and addresses, payment card details, telephone numbers, and user agent details.

“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites,” Sucuri noted in a blog. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”

While this approach may make the infection difficult to initially spot, retailers that scan their websites for malware and suspicious activity or use code integrity control checks will have a much easier time detecting changes or additional new files in their environment, says Sucuri.

Would you recommend this article?

+4
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News