Researchers studying cybersecurity have identified a credit card stealing malware strategy that has been seen attempting to steal money from Magento e-commerce sites by hiding the harmful content in HTML code image tags in order to remain hidden.
A trojan known as MageCart, which is capable of stealing sensitive pay information from online stores, is named. The assaults are known to use a variety of methods to deal websites and use credit cards skimmers to thwart fraud, both on the client- and server-side.
For malware generally only triggers or loads when users explore the checkout pages to provide credit card information by either serving a bogus type or capturing the data entered by the victims in real time.
The Magento platform that offers shopping and shopping cart functions for online retailers is the original goal of these cyberbullying groups, and the phrase” MageCart” refers to it. Over the years, such efforts by concealing malicious code through encoding and subterfuge within relatively harmless sources, such as fake images, sound files, favicons, and even 404 error pages.
According to Sucuri scholar Kayleigh Martin, “in this case, the ransomware affecting the customer follows the same goal — staying hidden.” ” It does this by disguising harmful information inside an <, img>, label, making it easy to overlook”.
” It’s common for <, img>, keywords to include much cords, especially when referencing image document pathways or Base64-encoded pictures, along with more attributes like height and width”.
The only difference is that the <, img>, label, in this case, acts as a decoy, containing Base64-encoded material that points to JavaScript code that’s activated when an onerror function is detected. Because the browser essentially trusts the onerror functionality, the attack becomes much more shady.
The onerror work may cause the website to display a broken image icon instead of an image that fails to load, according to Martin. ” But, in this context, the onerror function is hijacked to kill JavaScript instead of just handling the problem”.
However, the attack offers an added benefit to threat actors in that the <, img>, HTML element is generally considered trivial. For its part, the malware checks whether a person is currently logged into the checkout process and waits for innocent users to click the submit button to transfer sensitive payment information to an external server.
With the intention of exfiltrating it to wellfacing [. ] the text creates a harmful form that contains three areas: Card Number, Expiration Date, and CVV. web.
With the destructive script, the attacker achieves two remarkable goals: avoiding simple detection by security scanners by encoding it within an <, img>, tag, and making sure end users don’t notice unexpected changes when the malicious form is inserted, staying undetected as long as possible, Martin said.
The malware they inject into websites is frequently more complex than the more frequently found pieces of malware impacting other sites, according to” the goal of attackers who are targeting platforms like Magento, WooCommerce, PrestaShop, and others is to remain undetected as long as possible.”
The website security company reported an incident involving a WordPress website that used the ( or must-use plugins ) directory to install backdoors and execute malicious PHP code in a covert manner.
Must-use plugins are automatically loaded on every page load, without having to activate them or appear in the list of standard plugins, according to Puja Srivastava.
Because files placed here execute automatically and are not accessible from the WordPress admin panel, attackers can use this directory to maintain persistence and evade detection.