More and more attackers are shifting their attention towards online e-commerce platforms, where they found fertile ground for exfiltrating payment card data which they later sell on hacking forums.
These incidents are called Magecart and although they date back to 2016, cybersecurity researchers from US-based web security firm Sucuri discovered a new exfiltration technique when investigating a compromised online store running version 2 of the open-source Magento e-commerce platform. Hackers who gain access to an online store through a vulnerability or weakness install malicious code meant to steal customer card details at checkout.
The process is called steganography and it involves hiding malicious code inside an image or a music file’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file. However, it was recently revealed that threat actor ObliqueRAT infiltrates into victims’ endpoints through steganography.
Sucuri researchers revealed that they encountered a Magento store that had been compromised by attackers, who altered a core CMS file, Cc.php, responsible for handling credit card data. The hackers added extra code to the file, recording the payment card details users entered in the checkout form and saving it at the end of a local image.
What was odd about this case was that hackers were somehow able to fill up a large number of payment card details inside the image without altering its content. Usually, when attackers use steganography, they choose to modify simplistic images to avoid corrupting the data. However, this time they altered a high-resolution file, which normally would have been very easy to mess up.
==
Source: https://heimdalsecurity.com/blog/hackers-use-steganography-to-steal-credit-card-data/amp/
