News

IT NEWS

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection.

When we first investigated this campaign, we thought it may be another one of those favicon tricks, which we had described in a previous blog. However, it turned out to be different and even more devious.

We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.

During this research, we came across the source code for this skimmer which confirmed what we were seeing via client-side JavaScript. We also identified connections to other scripts based on various data points.

Skimmer hidden within EXIF metadata

The malicious code we detected was loaded from an online store running the WooCommerce plugin for WordPress. WooCommerce is increasingly being targeted by criminals, and for good reason, as it has a large market share.

hack
Figure 1: Malwarebytes showing a web block on a merchant site

Malwarebytes was already blocking a malicious domain called cddn[.]site that was triggered upon visiting this merchant’s website. Upon closer inspection we found that extraneous code had been appended to a legitimate script hosted by the merchant.

The offending code loads a favicon file from cddn[.]site/favicon.ico which turns out to be the same favicon used by the compromised store (a logo of their brand). This is an artifact of skimming code that’s been observed publicly and that we refer to as Google loop.

favicon loader
Figure 2: Legitimate JavaScript library injected with additional code

However, nothing else so far from this code indicates any kind of web skimming activity. All we have is JavaScript that loads a remote favicon file and appears to parse some data as well.

This is where things get interesting. We can see a field called ‘Copyright’ from which data is getting loaded. Attackers are using the Copyright metadata field of this image to load their web skimmer. Using an EXIF viewer, we can now see JavaScript code has been injected:

metadata
Figure 3: Metadata viewer revealing JavaScript code inside the Copyright tag

The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit car skimmer.

The presence of an eval is a sign that code is meant to be executed. We can also see that the malware authors have obfuscated it. An archive of this script can be found here.

obfu
Figure 4: A portion of the malicious JavaScript hidden inside the EXIF data

Skimmer exfiltrates data as an image

The initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3) using an <img> tag, and specifically via the onerror event.

As with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their name, billing address and credit card details. It encodes those using Base64 and then reverses that string.

JS POST
Figure 5: Same code loaded via an img tag revealing how stolen data is exfiltrated

It comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:

stolen data
Figure 6: Example of a transaction that was grabbed by the skimmer

The threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the favicon.ico file.

Skimmer toolkit found in the open

We were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open directory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic, while other files are used as supporting libraries.

PHP source
Figure 7: The skimmer toolkit, left on a hacked site and containing the PHP source files

This shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There are some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.

EXIF PHP
Figure 8: PHP source showing how the EXIF data is injected

The JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with what we saw on the client-side.

wiseloop
Figure 9: WiseLoop PHP and JS obfuscator

Connections to other skimmers, Magecart group 9

Based on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier version of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in the more recent case we found, but the same core features, such as loading JavaScript via the Copyright field (metadata of an image file), exist.

maltego
Figure 10: Connecting skimmer domains and registrant emails

We also can connect this threat actor to another skimming script based on the registrant’s email (rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer code which looks much more elaborate and does not appear to have much in common with the other two JavaScript pieces (archive here).

string ars
Figure 11: An artifact from the new skimmer

While debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the first skimmer (see Figure), although it might very well just be a coincidence.

The data exfiltration is quite different too. While the content-type is an image again, this time we see a GET request where the stolen data is Base64 encoded only, and passed as a URL parameter instead.

metadata code
Figure 12: Data exfiltration for this more advanced skimmer

Finally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a domain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same registrar, and was registered within a week of magerates[.]com.

magecart metadata
Figure 13: A possible connection to Magecart group 9

Magerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular several used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to Magecart Group 9, originally disclosed by Yonathan Klijnsma .

Tracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations of skimming scripts based off toolkits or that are completely custom.

We continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of others.

Indicators of Compromise

EXIF skimmers

cddn[.]site
magentorates[.]com
pixasbay[.]com
lebs[.]site
bestcdnforbusiness[.]com
apilivechat[.]com
undecoveria[.]com
wosus[.]site

Older EXIF skimmer

jqueryanalise[.]xyz
jquery-analitycs[.]com

Skimmer #3

xciy[.]net
yxxi[.]net
cxizi[.]net
yzxi[.]net

Other skimmers

sonol[.]site
webtrans[.]site
koinweb[.]site
xoet[.]site
ads-fbstatistic[.]com
bizrateservices[.]com
towbarchat[.]com
teamsystems[.]info
j-queries[.]com

Registrant emails

anya.barber56@gmail[.]com
smithlatrice100@yahoo[.]com
rotrnberg.s4715@gmail[.]com
newserf@mail[.]ru

The post Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files appeared first on Malwarebytes Labs.