Hackers Hide Magecart Script in Favicon Image's EXIF Metadata, Exfiltrate Credit Cards Details

Threat actors have been devising new ways to hide their credit card skimmer in order to evade detection. In one of the deceptive attempts, hackers hid skimming code within the metadata of an image file and surreptitiously loaded it into compromised online stores.

Hidden skimmer within EXIF metadata

Recently, Malwarebytes researchers found malicious code on an online store running the WooCommerce plugin for WordPress in a new Megecart campaign.
  • The Magecart campaign used malicious credit card stealing scripts. But instead of adding them directly to the site, attackers added the scripts in the Exchangeable Image File Format (EXIF) data of a favicon image to evade detection.
  • This EXIF metadata skimming technique might have a possible connection to a threat actor group known as 'Magecart 9'.
  • The favicon.ico file is crafted with the malicious JavaScript in its EXIF data. Once these scripts were loaded, any credit card information submitted on checkout pages was sent back to the attackers.

A similar incident

In May, threat actors registered a new website (myicons[.]net) purporting to offer thousands of images and icons for download (favicon), to act as a facade for a credit card skimming operation.

Web skimmers using Magecart script

Threat actors can be seen using countless variations of skimming scripts based on custom-toolkits. Specifically, the Magecart script attacks are constantly on the rise.
  • In June, hackers breached the websites of the Intersport, Claire's, and Icing. They hid Magecart scripts code to skim payment card details entered in checkout forms.
  • In the same month, cybercriminals abused unsecured AWS S3 buckets on three websites owned by Endeavor Business Media to infect them with Magecart skimming code.