These types of attacks are called Magecart and have been used on websites for well-known companies such as Claire’s, Tupperware, Smith & Wesson, Macy’s, and British Airways.
Continually evolving to better steal your credit cards
In a new report by Malwarebytes, an online store using the WordPress WooCommerce plugin was found to be infected with a Magecart script to steal customer’s credit cards.
What made this attack stand out was that the scripts used to capture data from payment forms were not added directly to the site but were contained in the EXIF data for a remote site’s favicon image.
« The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit card skimmer, » Malwarebytes’ Jérôme Segura stated in the report.
When images are created, the developer can embed information such as the artist who created it, information about the camera, copyright info, and even the location of the picture.
This information is called the Exchangeable Image File Format (EXIF) data.
In this attack, the threat actors hacked a website and added what appears to be a simple script that inserts a remote favicon image and does some processing.
After further investigation, Malwarebytes discovered that this favicon, while appearing harmless, actually contained malicious JavaScript scripts embedded in its EXIF data, as shown in the image below.