Magecart Now Stores Stolen Credit Card Data in Images

Magecart groups, known for stealing payment information from online store customers, continue to refine their data extraction and evasion techniques. Now, cybercriminals are hiding stolen credit card data within image files.

The term “Magecart” is used by the cybersecurity community to describe several groups that operate using web skimmers. Since 2010, experts have tracked about a dozen such groups.

As previously noted by specialists from RiskIQ and FlashPoint, some of these groups operate more professionally. For example, a team known as Group 4 uses highly advanced methods for stealing and storing data.

Victims of these cybercriminals have included major and recognizable brands such as British Airways, Newegg, Ticketmaster, MyPillow, Amerisleep, and Feedify.

Cybersecurity researchers have repeatedly discovered dozens of skimming scripts used by Magecart groups to steal credit card data. The Sucuri team highlighted an interesting tactic: attackers “embed” users’ card information into image files stored on their servers.

This trick helps conceal the theft from security experts and generally avoids unnecessary detection. Later, criminals can download all the hidden data using simple GET requests. During their analysis, Sucuri specialists found several such images.

Initially, experts noticed encrypted base64 information. After decoding it, they found CVV numbers, expiration dates, and other credit card details. The researchers also pointed out the use of obfuscation techniques. Example:

[Example of obfuscated data or code, as referenced in the original article.]