Cybersecurity researchers have been observed targeting e-commerce sites running Magento by disguising malicious content within image tags in HTML code to stay under the radar Flagging malware campaigns that steal credit cards.
Magecart is the name given to malware that can steal sensitive payment information from online shopping sites. Attacks are known to employ a wide range of techniques, both on the client and server side, to compromise websites and deploy credit card skimmers to promote theft.
Typically, such malware is triggered or loaded only when a user visits the checkout page and enters credit card details.
The term Magecart is a reference to the original targets of these cybercrime groups, a Magento platform that provides check-out and shopping cart capabilities for online retailers. Over the years, such campaigns have adapted tactics by hiding malicious code through encoding and obfuscation within seemingly harmless sources, such as fake images, audio files, favicons, and even 404 error pages. Ta.
“In this case, malware affecting clients follows the same goal. It remains hidden,” said Suuri researcher Kayleigh Martin. “This is done by disguising malicious content inside. Tags and oversights become easier. ”
“That’s common Tags containing long strings, especially when referring to image file paths or Base64 encoded images, or additional attributes such as height or width. ”
The only difference is In this case, the tag acts as a decoy containing base64 encoded content pointing to the JavaScript code that is activated when an Oneror event is detected. This makes the attack even more despicable as the browser essentially trusts the Onera feature.
“If an image loads fail, the OnError function is triggered to display a broken image icon instead of the browser,” says Martin. “However, in this regard, the Oneror event is hijacked to run JavaScript as well as handling errors.”
Furthermore, this attack offers additional benefits to threat actors. HTML elements are generally considered harmless. The malware checks if the user is on the checkout page and waits for the unsuspecting user to click on the submit button and then click on the Sifon-sensitive payment information entered on the external server.
The script is designed to dynamically insert malicious forms with three fields, card number, expiration date and CVV, and is intended to extend it to a welfare[.]com.
“Attackers achieve two impressive goals with this malicious script. By encoding malicious scripts, by avoiding simple detection by security scanners, Tags and end users should not notice any unusual changes when malicious forms are inserted.
“The targets of attackers targeting platforms such as Magento, Woocommerce, Prestashop remain as undetectable as possible, and the malware injected into a site is more complicated than the portion of malware that affects other sites. .”
The development was based on a website security company detailing incidents that include WordPress sites that leverage Mu-Plugin (or required plugins) directories to embed backdoors and stealthly execute malicious PHP code. is.
“Unlike regular plugins, the required plugins are automatically loaded for all page loads without requiring activation or appearing in the standard plugin list,” says Puja Srivastava He said.
“Attackers will leverage this directory to maintain persistence and avoid detection because files placed here are automatically executed and are not easily disabled from the WordPress admin panel.”
Source link
