Magecart groups that specialize in stealing payment information from online retailers continue to improve methods of data extraction and evasion of detection. Now cybercriminals hide stolen bank card details in images.
Cybercriminals, which the information security community has dubbed the general term Magecart, operate using web skimmers. Since 2010, experts have monitored a dozen such groups.
As noted earlier by specialists from RiskIQ and FlashPoint, some groups operate more professionally. For example, the team dubbed Group 4 uses highly sophisticated methods of stealing and storing data.
Among the victims of such cybercriminals were the British airline British Airways, and other large and recognizable brands: Newegg, Ticketmaster, MyPillow, Amerisleep and Feedify.
Cybersecurity researchers here and there have found dozens of skimming scripts that Magecart groups used to steal bank card data. The Sucuri team separately noted an interesting tactic: attackers "stuff" information about user cards into image files stored on their servers.
This trick helps to hide the fact of theft from experts and, in general, to avoid unnecessary detection. Subsequently, the criminals can download all the hidden data using simple GET requests. Sucuri found several of these images during analysis.
At first, experts drew attention to the base64-encrypted information, and then, having already decrypted it, they saw that these were CVV numbers, expiration dates and other bank card data. Researchers have also pointed out the use of obfuscation. Example:
