Credit Card Stealer Malware discovered in social media share buttons

December 10, 2020
credit card stealer malware magecart social media share button

Cybersecurity experts that have been monitoring Magecart credit card stealer adversaries have again shared their latest discovery of the current tactics of the umbrella threat actors. On their submitted report, adversaries can conceal their malicious codes on mimicry of share button of popular social media platform from compromised online business websites.

Since 2016 where the Magecart group has expanded their business of stealing financial information from victims through online payment, and the group always finds its way through time using different tactics to pursue their goal. Tactics ranging from exploiting websites, injecting codes on browser extensions, and even seeing vulnerabilities to cloud services and platform security via a whitelisted or authorized list of software and sites of the victim’s company, and even a few instances of baiting site administrators to steal their credentials and fully compromise not only the website but also the entire network of the victim. These have contributed to many successful intrusion and identity theft that have been noticeably growing based on the statistics.


The attack method of the credit card stealer malware

The Magecart group can hide their malicious code through share buttons of social media such as Facebook, Instagram, Twitter, etc. that have been visibly on most online shopping sites. The code has been stealthily placed by the adversary by compromising the shopping website through root admin privileges and injecting the malicious code to the social media button in the source code via HTML bearing the file name of the social media of the website. In this manner, the security scanner will treat it as legitimate and will not trigger any threat alarm. The in-depth analysis confirmed that the operation to be successful needs to load two parts of an arsenal of malicious code after the site has been compromised. The arsenal consists of the payloader and the decoder, in which the latter executes first to run the payloader that will perform the actor’s activity to capture and steal the financial record of the victim upon opening the checkout page wherein the customer need to input their payment information of the online shop.

The recent tactic was already observed by experts since June and from then have been monitoring it for further activities to confirm the true modus of the operation. It is only then on the recent scanning they have confirmed that to fully execute the procedure, the 2-arsenal code is needed to be present as only one will just make it useless. As concluded, the early sightings of the single malicious code may have only been a process of testing from the adversary for this new scheming they are preparing. Fortunately, this has been discovered, and the report was immediately publicized so e-store could plan end execute mitigation solution as online shopping will be busy these coming holidays.

About the author

Leave a Reply