Before you use an ATM or a gas pump, do you inspect the unit, looking for ill-fitting seams or something that is out of place? Do you tug on the panels covering the portion where the card is inserted, to see if it is loose or removable? For some time, criminals have been installing credit card skimmers on credit card processing terminals. When an unsuspecting customer pays for their gas or grabs some money from a cash machine, the transaction will go through as normal, and the skimmer will read and save information from the credit card’s magnetic strip (there are also devices that are designed to work on the modern, chip-embedded credit/debit cards).
As more and more people are doing their shopping online, cybercriminals are trading in their physical credit card skimmers for digital ones. According to ZDNet, researchers from the Dutch-based security firm Sanguine Security (Sansec) have discovered malware that can steal credit card information from payment forms on infected digital storefronts.
Like their physical counterparts, the malware is hidden in plain sight. In this case, the malware leverages steganography — a trojan horse-like method of sneaking a file, message, image, or video within another file, message, image, or video — to hide malware in buttons used to share social media pages. Basically, when a customer enters their information into an infected site, the malware records and transmits each keystroke to the attackers, thus providing cybercriminals with all the credit card information they need.
The very architecture of the malware makes it difficult to detect. The malware is made up of two components: one to conceal the payload, and one to decode, interpret, and execute the payload. This method is particularly effective, as it can bypass malware scanning solutions. Sansec reported that this malware was especially difficult to detect since attackers did such a good job of making it appear benign. “The payload was concealed utilizing syntax that strongly resembles correct use of the svg element,” said the Sansec report. “To complete the illusion of the image being benign, the malware’s creator has named it after a trusted social media company.” Sansec also noted that the malware is hard to detect because the decoder and the payload don’t need to be injected into the same location for the malware to work.
This latest skimmer isn’t the first time researchers have found evidence of web-based card skimming. Magecart, a collection of several hacker groups that target web-based shopping cart systems, has been active since the mid-2010s and has been the culprit of several major skimming operations of late, including attacks on Ticketmaster, British Airways, NewEgg, MyPillow.com, and more. But not all attacks employ the same tactics as the one that was recently discovered. Cybercriminals have also found success by compromising third-party solutions from VARs and systems integrators in what is known as a supply chain attack.
As we all approach the holidays, and in a year where consumers have been literally forced onto digital platforms, cybercriminals will be very busy finding ways to earn their own illegal holiday bonuses. This year could prove extremely rewarding for them.