May 26, 2022

According to Microsoft researchers, threat actors are using advanced techniques to hide their info-stealing code while simultaneously siphoning off credit cards information.

The attackers now disguise their code snippets, inject them into image files and disguise them as popular web applications to avoid detection.

Payment card skimming is a web-based attack in which hackers inject malicious JavaScript code into e-commerce websites by exploiting a vulnerability or poor security practices.

Microsoft’s researchers identified an increase in the use of three evasion methods which include inserting the scripts in images, string concatenation and script spoofing.

By injecting the scripts in images, malicious files disguised as favicons are uploaded to the target server. Their contents include a PHP script with a base64-encoded JavaScript. The script runs to identify the checkout page, performs a check to exclude the administrator, and then submits a fake form to legitimate site visitors.

Script spoofing involves attackers masquerading as Google Analytics or Meta Pixel (Facebook Pixel). Threat actors inject base64-encoded strings inside a fake Google Tag Manager code and trick admins into skipping the inspection, which is possible because admins believe it is part of the site’s default code.

The sources for this piece include an article in BleepingComputer.