![]() ![]() Attackers are using the Copyright metadata field of this image to load their web skimmer. We can see a field called 'Copyright' from which data is getting loaded. All we have is JavaScript that loads a remote favicon file and appears to parse some data as well. However, nothing else so far from this code indicates any kind of web skimming activity. Figure 2: Legitimate JavaScript library injected with additional code ![]() This is an artifact of skimming code that's been observed publicly and that we refer to as Google loop. The offending code loads a favicon file from cddnsite/favicon.ico which turns out to be the same favicon used by the compromised store (a logo of their brand). ![]() Upon closer inspection we found that extraneous code had been appended to a legitimate script hosted by the merchant. Malwarebytes was already blocking a malicious domain called cddnsite that was triggered upon visiting this merchant's website. WooCommerce is increasingly being targeted by criminals, and for good reason, as it has a large market share.įigure 1: Malwarebytes showing a web block on a merchant site The malicious code we detected was loaded from an online store running the WooCommerce plugin for WordPress. We also identified connections to other scripts based on various data points. Once again, criminals used the disguise of an image file to collect their loot.ĭuring this research, we came across the source code for this skimmer which confirmed what we were seeing via client-side JavaScript. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. ![]() However, it turned out to be different and even more devious. When we first investigated this campaign, we thought it may be another one of those favicon tricks, which we had described in a previous blog. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection. They say a picture is worth a thousand words. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |