Crooks hide e-skimmer code in favicon EXIF Metadata

Malwarebytes experts observed crooks hiding a software skimmer in the EXIF metadata of an image that was surreptitiously loaded by compromised online stores. While investigating a Magecart attack, experts found an e-skimmer code hidden in the EXIF metadata of an image file and surreptitiously loaded by compromised online stores. The malicious script detected by the researchers was loaded from an e-store running the WooCommerce plugin for WordPress.

The scripts allow threat actors to steal credit card data and other sensitive information that users enter on compromised e-commerce websites, then to send the collected info to the attackers. The attack stands out because attackers use images to exfiltrate stolen credit card data. Experts noticed that the script would load a favicon file that is identical to the one used by the compromised website.

The attackers loaded the e-skimmer from the ‘Copyright’ field in the metadata of this image.

Source: securityaffairs.co