U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Magento card-swiping malware hides stolen card data in legitimate images

Security experts have spotted an interesting exfiltration technique adopted by crooks to exfiltrate card data from Magento platforms. Security experts from Sucuri and RiskIQ have spotted an interesting exfiltration technique adopted by crooks to exfiltrate payment data from compromised e-commerce websites powered by the Magento platform. Cybercriminals have been using image files to store and exfiltrate […]

Magento card-swiping malware hides stolen card data in legitimate images

Security experts have spotted an interesting exfiltration technique adopted by crooks to exfiltrate card data from Magento platforms.

Security experts from Sucuri and RiskIQ have spotted an interesting exfiltration technique adopted by crooks to exfiltrate payment data from compromised e-commerce websites powered by the Magento platform.

Cybercriminals have been using image files to store and exfiltrate payment card data stolen from the target website.  This last wave of attacks targeted over 100 online shops running on Magento, Powerfront CMS and OpenCart e-commerce platforms

Typically attackers use card-swiping malware that steals credit card data from the Magento shot and exfiltrates it via email or storing information in a file that is later accessed by hackers.

Experts noticed an interesting attack on Magento shops in which cybercriminals have used a malicious PHP file that dumps stolen data into an image file.

Similar exfiltration techniques are common, anyway, the attackers usually don’t use files containing real images send out the information.

“This is not out of the ordinary. It is actually characteristic of a lot of the credit card swipers we have seen lately.” reads a blog post published by Sucuri.

“Attackers use image files as an obfuscation technique to hide stolen details from the website owner. The image file usually doesn’t contain a real image, however, no one really suspects an image file to contain malware. This gives the attacker a secret place to store data. If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack.”

In this specific case, the imaged used to store the payment card data are real and are related to the products offered for sale on the compromised website. This technique allows attackers to remain under the radar and avoid raising any suspicion.

The stolen data is appended at the end of the image file in clear text, and the file is publicly accessible.  According to Sucuri, the majority of stolen card data came from the United States, but the files include also data related to victims from Japan, Turkey, Saudi Arabia and Canada.

Magento image-stole-card-data-vim-console

“To obtain the stolen numbers the attacker would not even have to maintain access to the site. The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.” continues the post.

Sucuri invites owners of websites powered by Magento to keep their CMS up to date and apply all the latest patches.

It also invites administrators of the websites to use a complex password.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Magento, hacking)