Posted on July 10, 2021 at 7:18 PM
Researchers from Sucuri, during an investigation into the infiltrated Magento 2 e-commerce site, discovered that threat actors hide malicious activities until the information can be retrieved.
According to the report, the attackers are saving online data they have retrieved from credit cards in a . JPG file on a website they infected with malicious code.
“The creative use of the fake. JPG allows an attacker to conceal and store harvested credit card details,” the researchers said, adding that they do this in a very clever way that does not attract any attention from the victim.
They revealed that the threat actors used a malicious code injection that captures post request data from the visitors of the site. The malicious code encodes captured data before they are saved into a. JPG file.
The POST request pattern requires the webserver to accept enclosed data to get it stored and hidden. This type of request is usually used for web transactions when someone submits a completed web form or uploads a file from a website.
Threat actors are secretly planting malicious codes
The security researchers said the threat actors planted PHP code into a file called ./vendor/Magento/module-customer/Model/Session.PHP. Afterward, they loaded the malicious code using the “getAuthenticates” function. A . JPG file was also created with the code, enabling the threat actors to store the data they retrieved from the infiltrated site.
The feature, when planted, enables the threat actors to have easy access to the data as they can download the details whenever they want, and hiding them within a JPG.
Hackers are always looking for new methods to steal information from websites and other online platforms. As security researchers and the company’s security teams improve in their monitoring tasks, the threat actors are always evolving. They are constantly discovering new methods of circumventing the security wall by hiding their activities in creative ways.
The recent campaign utilized the Magneto framework
Magecart attackers are known for adapting to any security situation they encounter. So, it proved that the threat actors were prepared for attack. They generally hide their skimming methods in functionality that seems genuine. They also appear to cannibalize themselves by making use of the platforms they attack to achieve their aims.
For example, a Magecart campaign was discovered in December last year. the threat actors used a concealing code within PayPal iframes to steal credit card details and user credentials.
The recent campaign also made use of the Magneto code framework to carry out its foul activity of harvesting the stolen data and hiding it in the. JPG file.
The malicious code carried out its work via the “getPostValue“ Magneto function, capturing the checkout page data in the “customer-Post parameter.
Additionally, the researchers discovered that it utilized the Magneto function called “isLoggedIn” to find out whether the targeted user has logged into the site. Apart from stealing the user’s information, the threat actors also retrieve their email addresses from the transaction.
Almost all the details the victim submitted on the checkout page are stored in the “Customer-Parameter”, including their full names, telephone numbers, addresses, payment card info, as well as user agent details.
When the threat actors can retrieve the customer payments data, they will be used for different criminal activities. In most cases, the hackers sell the information for those that may use it for phishing campaigns, email-based scam, and credit-card fraud.
Site owners asked to improve their security
Although it may be difficult to discover the infection due to the latest Magecart anti-detection method, website owners can identify potentially malicious changes or new files before they become more damaging.
The researchers have advised that the website owners should improve their web monitoring security protocols to control the activities of the threat actors.
As threat actors are devising new methods of attacking websites, owners and users should also set up more strict security measures to keep these malicious codes out of their systems.