Magento Malware Uses Steganography to Steal Payment Card Data

Share this…

Malware hides credit card data inside image files. Hackers are collecting payment card data from Magento stores, hiding the stolen data inside JPG images, which they’re downloading from infected stores without raising any suspicions.

During the past year, attackers have shifted their gaze towards online e-commerce platforms, where they found a fertile ground for collecting payment card data, which in most cases, they later sell on underground hacking and carding forums.

With over 5,700 websites currently infected with malware, and with over 100 of those infected with the recently discovered MageCart malware, hacking e-commerce sites has become in recent months a common occurrence.

Magento malware turns to steganography

Sucuri, a US-based web security firm, says that a week doesn’t go by without one of their researchers discovering a new payment-card-stealing malware.

Detailing the most recent malware they found, the company says they’ve come across a variant that employs steganography to exfiltrate stolen data.

Steganography is the technique of hiding text data inside an image’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file.

A security researcher opening the file would easily detect something strange and check the image inside a text editor. Because of this, very few attackers employ this tactic.

Malware infection occurs in Cc.php file

Sucuri says it came across a Magento store that had been compromised by attackers, who modified a core CMS file, Cc.php, tasked with handling credit card data.

The attackers added extra code to this file which recorded the payment card details users entered in the checkout form and saved it at the end of a local image.

What was strange about this case is that attackers managed to cram a large number of payment card details inside the image without altering its content.

While attackers that deploy steganography choose to alter simplistic images in order to avoid corrupting the data, in this case the hackers modified a high-resolution file, which in most cases would have been very easily to mess up.

Image looked like any other product photo

“The most interesting fact is that this image was related to products sold on the victim website,” Sucuri’s Ben Martin explains. “Most website owners would be none the wiser if they came across this image and opened it to make sure it worked.”

At this point, the attacker only had to access this image, download it, and extract the data found at the end of the JPG’s source code.

If the website owner would have inspected the site’s logs for suspicious activity, he would have seen “another” site visitor download “another” image, which for some stores happens thousands of times per hour.

Magento hackers have used steganography before, this past winter, when they used the same technique to exfiltrate payment card details from sites they infected and tricked admins into thinking they were running up-to-date versions.

Image that contained the stolen credit card details

Image that contained the stolen credit card details