Hackers Hide Web Skimmers in Social Media Share Buttons

By Ava McKinneyOnline Safety

Hackers Conceal Web Skimmers in Social Media Share Buttons

Security analysts at Sanguine Security have discovered that cybercriminals are using steganography to hide MageCart skimmers within buttons designed for sharing content on social media platforms. Originally, the term MageCart referred to a single hacker group that pioneered the injection of web skimmers (malicious JavaScript) into online store pages to steal credit card data. However, this approach proved so effective that many copycat groups emerged, and now MageCart is used as a general term for this entire class of attacks.

How Steganography Is Used in Web Skimming

Steganography involves hiding information within another format (for example, text within images, images within videos, and so on). In recent years, the most common form of steganographic attacks has been hiding malicious payloads inside image files, usually in PNG or JPG formats. Web skimmer operators have also adopted this trend, concealing their malicious code in site logos, product images, or the favicon of compromised resources.

Now, Sanguine Security experts report that in new attacks, the malicious code is hidden not in PNG or JPG files, but in SVG files. This is likely because security solutions have recently become better at detecting skimmers in standard images.

Why SVG Files?

Theoretically, it should be easier to detect malicious code in vector images. However, researchers note that attackers are clever and have designed their payloads with these nuances in mind.

โ€œThe malicious payload takes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is hidden using syntax that resembles legitimate use of the <svg> element,โ€ the expertsโ€™ report states.

Real-World Attacks and Impact

According to the experts, hackers were testing this technique as early as June, and by September it was found on active e-commerce sites. The malicious payloads were hidden inside buttons intended for sharing content on social media platforms such as Google, Facebook, Twitter, Instagram, YouTube, and Pinterest.

On infected stores, as soon as users navigated to the checkout page, a secondary component (called a decoder) would read the malicious code hidden inside the social media icons and then load a keylogger. This keylogger would capture and steal credit card information from the order payment form.

Conclusion

This new method of hiding web skimmers in SVG files within social media share buttons demonstrates the evolving tactics of cybercriminals and the need for ongoing vigilance and updated security measures for e-commerce sites.

Leave a Reply