Hackers focused on targeting online e-commerce platforms to exfiltrate users’ payment card data have devised a new clever method that allows them to store the stolen credit card information within a local .JPG file.
The new technique was spotted by security researchers at Sucuri while investigating a compromised online store running version 2 of the open-source Magento e-commerce platform.
Digging further, the researchers found a malicious injection on the site’s checkout page that was capturing POST request data from site visitors. The captured data was then encoded and saved to a .JPG file.
“The following PHP code was found injected to the file ./vendor/magento/module-customer/Model/Session.php. To load the rest of the malicious code onto the compromised environment, the getAuthenticates function is created and called,” Sucuri explained.
The malicious code would create the image file (pub/media/tmp/design/file/default_luma_logo.jpg) for storing any captured data allowing the attackers to easily access and download the stolen information.
The malicious code uses the Magento code framework to capture the POST data, as well as Magento’s getPostValue function to capture the checkout page data within the Customer_ POST parameter. The PHP code also checks whether a user is logged in to the website, and if it is so, it captures the user’s email address.
“Nearly all of the information submitted by the victim on the checkout page is stored within the ‘Customer_ parameter,’ including full names and addresses, payment card details, telephone numbers, and user agent details,” the researchers wrote.
“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites. The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”