A payment card-skimming malware that hides inside social-media buttons is being seen, compromising online stores as the belated holiday shopping season kicks off.
The skimmer steals credit-card data, using steganography to hide in sight in seemingly innocent images.
According to researchers at Sansec, the skimmer hides in fake social-media buttons, purporting to allow sharing on Facebook, Twitter & Instagram. Cyber-attackers are gaining access to websites’ code, & then placing the fake buttons on checkout & e-commerce pages.
With regard to the initial infection vector, “We have found various root causes (password interception, unpatched vulnerabilities etc.), so we suspect that the attackers are gathering victims from different sources,” Willem de Groot, founder at Sansec described.
Once installed on the page, the malware behaves just like the widespread Magecart group of skimmers, with the code being parsed & run by a shopper’s PC in order to harvest payment cards & any other information entered into a site’s online fields, he added.
Under the Radar
The imposter buttons look just like the legitimate social-sharing buttons found on untold numbers of websites & are unlikely to trigger any concern from website visitors, says Sansec.
Perhaps more interestingly, the malware’s operators also took great pains to make the code itself for the buttons to look as normal & harmless as possible, to avoid being flagged by security solutions.
“While skimmers have added their malicious payload to benign files like images in the past, this is the 1st time that malicious code has been constructed as a perfectly valid image,” according to Sansec’s recent posting.
“The malicious payload assumes the form of an html <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilising syntax that strongly resembles correct use of the <svg> element.”
To complete the hoax of the image being benign, the malicious payloads are named after legitimate companies. The researchers found at least 6 major names being used for the payloads to lend legitimacy: facebook_full; google_full; instagram_full; pinterest_full; twitter_full; & youtube_full.
The result of this is that security scanners can no longer find malware just by testing for valid syntax.
“Because it hides in legitimate-seeming files, it successfully dodges malware monitors & corporate firewalls. It is the next step by adversaries to stay under the radar, & quite successfully so,” de Groot explained.
Adding a further element, the malware consists of 2 parts: The payload code itself, & a decoder, which reads the payload & executes it. Critically, the decoder does not have to be injected into the same location as the payload.
“Vulnerability scanners will not know to put the two puzzle pieces together & will miss this type of an attack,” Ameet Naik, Security Evangelist at PerimeterX, explained. “These attacks also leave no signature on the server side of the website, where all the security monitoring tools are. Hence the website administrators also typically have no indication that this happened.”
No interaction is necessary to activate the skimming.
Chloé Messdaghi, VP Strategy at Point3 Security, noted that website owners might miss the rogue elements as well, & not pick up that previously non-existent social-media buttons are suddenly present on a page.
“These types of attacks will continue to succeed because even the most major online brands use code & plugins developed by 3rd-, 4th- or even 5th-party organisations, so there’s no centralised ownership of & responsibility for what’s authentic & what’s not,” she commented.
She further added, “until every retailer from largest to smallest realises that their transaction websites are ‘Franken-sites’ made up of 3rd-party pieces, & they become scrupulous about thoroughly & continually monitoring their sites, these attacks will only become more frequent & successful.”
More Pain to Come?
Sansec has found 37 stores to date infected with the malware, de Groot outlined, but worse campaigns could be on the horizon.
“An attacker can of course conceal any payload with this technique,” according to the analysis.
The players behind the malware have used patience in their development cycle. In June, Sansec detected a similar malware that used the same technique, but the campaign appeared to be a test run.
“This malware was not as sophisticated & was only detected on 9 sites on a single day,” the post read. “Of these 9 infected sites, only 1 had functional malware.
The 8 remaining sites all missed 1 of the 2 components, rendering the malware useless. The question arises if the June injections could have been the creator running a test to see how well their new creation would fare.”
The 2nd version of the malware was first found on live sites in mid-Sept.
Active script monitoring for the client-side is one way to catch a stealthy problem like this, researchers observed.
“The goal here is twofold,” Naik suggested. “1st, the attackers want the visible elements on the page to seem innocuous so that consumers don’t suspect anything. Secondly, they want the code for these buttons to look harmless as well so that security scanners do not flag it as a threat.
Application Security Solutions
However, runtime client-side application security solutions that actively monitor the scripts executing on the shopper’s browser will detect the changes to the page & flag any suspicious communication with external domains.”
Meanwhile, vendors will need to add to their product functionality, according to de Groot.
“Going forward, we suspect that most security vendors will ensure that their products are capable of SVG parsing,” he concluded.