Magecart Attackers Save Stolen Credit-Card Data in .JPG File

[silversurfer]

Magecart attackers have found a new way to hide their nefarious online activity by saving data they’ve skimmed from credit cards online in a .JPG file on a website they’ve injected with malicious code.
 
Researchers at website security firm Sucuri discovered the elusive tactic recently during an investigation into a compromised website using the open-source e-commerce platform Magento 2, Luke Leal from Sucuri’s malware research team said in a report posted online last week.
 
“The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner,” he wrote.
 
Peering under the hood of the compromised site revealed a malicious injection that was capturing POST request data from site visitors, Leal explained. “Located on the checkout page, it was found to encode captured data before saving it to a .JPG file,” he wrote.
 
A POST request method asks a web server to accept data enclosed in the body of the request message, usually so it can be stored. It’s often used in Web transactions when someone has uploaded a file to a website or submitted a completed web form.
 
Specifically, Sucuri found that attackers injected PHP code into a file called ./vendor/magento/module-customer/Model/Session.php, then used the “getAuthenticates” function to load malicious code, Leal said. The code also created a .JPG file, which attackers used to store any data they captured from the compromised site, he said.
 
“This feature allows the attacker to easily access and download the stolen information at their convenience while concealing it within a seemingly benign JPG,” Leal wrote.

Read more: Magecart Attackers Save Stolen Credit-Card Data in .JPG File | Threatpost