Strava Technologies (P) LTD
Steganography has long been used by malware authors to hide malicious data within legitimate-looking images and currently, it is being used by cybercriminals to spread credit card skimmers.
According to researchers a report, a new steganography-based credit card skimmer has been spotted that targets online retail shops.
To the naked eyes, the image looks like a typical free shipping ribbon that is commonly seen on shopping sites. However, a close look at the image reveals JavaScript code has been appended immediately after the end of the file marker.
Researchers further noted that “All compromised sites we found using a steganographic skimmer were injected with similar code snippets (typically after the footer element or Google Tag Manager) to load the fake image and parse its JavaScript content via the slice() method.” The web crawlers and scanners mostly concentrate on HTML and JavaScript files and often ignore media files.
It is also noted that threat actors are particularly using WebSockets to provide a more covert way to exchange data than typical HTTP request-responses.
“The attackers do need to load a new WebSocket and that can be detected in the DOM. However, they were clever to obfuscate the code nicely enough that it completely blends in,” researchers explain.
The goal is to conceal a connection to a server controlled by the criminals over a WebSocket. A handshake is enough to steal data.
When the malicious JavaScript code runs in the browser, it triggers a client handshake request. Once this is established, a series of bidirectional messages are exchanged between the victim’s browser and malicious host. These messages also include the credit card skimming code.
© 2021 Strava Technologies (P) Ltd. All rights reserved