Experts have identified a new technique used by the threat actors by obfuscating the malware script inside the comment blocks and stealing the credit card details by encoding it in the image file which was then uploaded in the external site.

“MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. ” reads the blog post.

One trick used by the threat actor is to deposit the credit cards stolen via various techniques into the image file which was stored on the external server and same will be downloaded by issuing a simple GET request to the file.

Source: Sucuri

Apart from that , the researchers also observed that the image files was populated with the base64 data ,when decoded it was having data like Credit card number, CVV ,expiration dates, etc.

“The attackers are using what’s called “concatenation” here, which is a very common obfuscation technique that we see a lot. Normally it looks something like this:”

Source: Sucuri

The major advantage of using this technique is the threat actors can simply download the stolen credit card details from the servers using GET request instead of accessing the compromised MageCart site everytime , on the worst case scenario the compromised site can be recovered or the password to access the site might be reset by the site owner which may lead to lose access towards the same.

“MageCart is an ever growing threat to e-commerce websites. From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn’t they? Literal fortunes are made stealing and selling stolen credit cards on the black market. ” concludes the blog.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s