Hackers hiding stolen credit card details in images

Cyber-criminals extract financial information using website product pictures

Images can be used to hide messages or credit card details
Images can be used to hide messages or credit card details

Cyber-criminals are hiding stolen credit card details in image file on their retailer  websites.

According to Sucrui, attackers are using flaws found in Magneto-based ecommerce site to place malware on site. This malware then records victims' credit card details.

However, there is a twist in that instead of recording the details in a text file, the details are embedded in product image files.

According to a blog post, Ben Martin, remediation team lead at Sucuri, a scan of an affected website would unearth the credit card swiper code alongside the image file storing credit card details in a core file used by Megneto called “cc.php”.

Martin said that usually such fake image files would produce errors when accessed, but in this case, the image file worked and showed an image of a bottle of perfume, one sold by the shop in question.

“Most website owners would be none the wiser if they came across this image and opened it to make sure it worked,” he said.

“The image file usually doesn't contain a real image, however, no one really suspects an image file to contain malware. This gives the attacker a secret place to store data. If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack.”

He added that the image file has now been deleted to prevent further downloads of the data. Martin urged ecommerce websites using Magneto to keep them up to date and apply the latest patches.

Chris Hodson, CISO EMEA at Zscaler, told SCMagazineUK.com that almost all script injection, such as ‘card skimming' attacks start with the hacker exploiting a vulnerability in either a web server or the application components running thereon (Joomla, Wordpress, etc).  

“In recent cases, remote execution vulnerabilities in the Magento ecommerce Platform were exploited, which ultimately resulted in admin access to servers, and the opportunity for code manipulation and the installation of malware,” he said.

“Nothing replaces good security hygiene. Users must go back to basics to keep hackers at bay. This means ensuring that web servers and application middleware components are fully patched, and web application firewalls are inspecting all layer 7 traffic destined for the server. Logging and monitoring solutions also need to be deployed and able to detect anomalous activity. There are simply no shortcuts here.

Mark James, security specialist at ESET, told SC that once stolen its fairly easy to identify credit card numbers in plain text files, they are fairly unique in their structure, and the bad guys are looking for ways to move this data without it being picked up by the average software scanning for those items.

“If you embed the information inside an image file you have a fairly standard container that is seen in so many aspects of our digital world. Nobody takes any notice of an image file especially if it actually displays the image with no problems, this enables attackers to send those details to almost anywhere unhindered,” he said.

Sign up to our newsletters