Magecart hacking group have devised a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server.
This indicates that the attackers are continuously improving their infection chains to escape detection.
According to Ben Martin, Sucuri Security Analyst, one of the techniques that some Magecart actors employ is the dumping of swiped credit card details into image files on the server to avoid raising suspicion. These can later be downloaded using a simple GET request at a later date.
The attack has been attributed to Magecart Group 7 based on overlaps in the tactics, techniques, and procedures (TTPs) adopted by the threat actor.
In one instance of a Magento e-commerce website infection investigated by the security company, it was found that the skimmer was inserted in one of the PHP files involved in the checkout process in the form of a Base64-encoded compressed string.
In order to further mask the presence of malicious code in the PHP file, the threat actors used a technique called concatenation in which the code was combined with additional comment chunks that “does not functionally do anything but it adds a layer of obfuscation making it more difficult to detect.”
The ultimate aim of the attack is to capture customers’ payment card details in real-time on the compromised website, which are then saved to a bogus style sheet file (.CSS) on the server and downloaded subsequently at the threat actor’s end by making a GET request.