{
	"id": "8244d26f-9feb-474e-a0b0-d476386c74b6",
	"created_at": "2026-04-06T00:13:27.025621Z",
	"updated_at": "2026-04-10T03:24:11.682859Z",
	"deleted_at": null,
	"sha1_hash": "5d588e4f8a7cf4710325233b4dc129bd5c975811",
	"title": "Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1640910,
	"plain_text": "Web skimmer hides within EXIF metadata, exfiltrates credit cards\r\nvia image files | Malwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2020-06-24 · Archived: 2026-04-05 20:07:25 UTC\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 1 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 2 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 3 of 103\n\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 4 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 5 of 103\n\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 6 of 103\n\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 7 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 8 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 9 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 10 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 11 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 12 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 13 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 14 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 15 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 16 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 17 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 18 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 19 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 20 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 21 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 22 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 23 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 24 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 25 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 26 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 27 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 28 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 29 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 30 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 31 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 32 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 33 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 34 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 35 of 103\n\nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 36 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 37 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 38 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 39 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 40 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 41 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 42 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 43 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 44 of 103\n\nSkimmer exfiltrates data as an image\r\nThe initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3)\r\nusing an tag, and specifically via the onerror event.\r\nAs with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their\r\nname, billing address and credit card details. It encodes those using Base64 and then reverses that string.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 45 of 103\n\nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 46 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 47 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 48 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 49 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 50 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 51 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 52 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 53 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 54 of 103\n\nThe abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a\r\ncredit card skimmer.\r\nThe presence of an eval is a sign that code is meant to be executed. We can also see that the malware authors have\r\nobfuscated it. An archive of this script can be found here.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 55 of 103\n\nSkimmer exfiltrates data as an image\r\nThe initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3)\r\nusing an tag, and specifically via the onerror event.\r\nAs with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their\r\nname, billing address and credit card details. It encodes those using Base64 and then reverses that string.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 56 of 103\n\nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 57 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 58 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 59 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 60 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 61 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 62 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 63 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 64 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 65 of 103\n\nHowever, nothing else so far from this code indicates any kind of web skimming activity. All we have is\r\nJavaScript that loads a remote favicon file and appears to parse some data as well.\r\nThis is where things get interesting. We can see a field called ‘Copyright’ from which data is getting loaded.\r\nAttackers are using the Copyright metadata field of this image to load their web skimmer. Using an EXIF viewer,\r\nwe can now see JavaScript code has been injected:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 66 of 103\n\nThe abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a\r\ncredit card skimmer.\r\nThe presence of an eval is a sign that code is meant to be executed. We can also see that the malware authors have\r\nobfuscated it. An archive of this script can be found here.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 67 of 103\n\nSkimmer exfiltrates data as an image\r\nThe initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3)\r\nusing an tag, and specifically via the onerror event.\r\nAs with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their\r\nname, billing address and credit card details. It encodes those using Base64 and then reverses that string.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 68 of 103\n\nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 69 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 70 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 71 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 72 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 73 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 74 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 75 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 76 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 77 of 103\n\nMalwarebytes was already blocking a malicious domain called cddn[.]site that was triggered upon visiting this\r\nmerchant’s website. Upon closer inspection we found that extraneous code had been appended to a legitimate\r\nscript hosted by the merchant.\r\nThe offending code loads a favicon file from cddn[.]site/favicon.ico which turns out to be the same favicon used\r\nby the compromised store (a logo of their brand). This is an artifact of skimming code that’s been observed\r\npublicly and that we refer to as Google loop.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 78 of 103\n\nHowever, nothing else so far from this code indicates any kind of web skimming activity. All we have is\r\nJavaScript that loads a remote favicon file and appears to parse some data as well.\r\nThis is where things get interesting. We can see a field called ‘Copyright’ from which data is getting loaded.\r\nAttackers are using the Copyright metadata field of this image to load their web skimmer. Using an EXIF viewer,\r\nwe can now see JavaScript code has been injected:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 79 of 103\n\nThe abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a\r\ncredit card skimmer.\r\nThe presence of an eval is a sign that code is meant to be executed. We can also see that the malware authors have\r\nobfuscated it. An archive of this script can be found here.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 80 of 103\n\nSkimmer exfiltrates data as an image\r\nThe initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3)\r\nusing an tag, and specifically via the onerror event.\r\nAs with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their\r\nname, billing address and credit card details. It encodes those using Base64 and then reverses that string.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 81 of 103\n\nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 82 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 83 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 84 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 85 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 86 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 87 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 88 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 89 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nThey say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet\r\nanother way to hide their credit card skimmer in order to evade detection.\r\nWhen we first investigated this campaign, we thought it may be another one of those favicon tricks, which we had\r\ndescribed in a previous blog. However, it turned out to be different and even more devious.\r\nWe found skimming code hidden within the metadata of an image file (a form of steganography) and\r\nsurreptitiously loaded by compromised online stores. This scheme would not be complete without yet another\r\ninteresting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to\r\ncollect their loot.\r\nDuring this research, we came across the source code for this skimmer which confirmed what we were seeing via\r\nclient-side JavaScript. We also identified connections to other scripts based on various data points.\r\nSkimmer hidden within EXIF metadata\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 90 of 103\n\nThe malicious code we detected was loaded from an online store running the WooCommerce plugin for\r\nWordPress. WooCommerce is increasingly being targeted by criminals, and for good reason, as it has a large\r\nmarket share.\r\nMalwarebytes was already blocking a malicious domain called cddn[.]site that was triggered upon visiting this\r\nmerchant’s website. Upon closer inspection we found that extraneous code had been appended to a legitimate\r\nscript hosted by the merchant.\r\nThe offending code loads a favicon file from cddn[.]site/favicon.ico which turns out to be the same favicon used\r\nby the compromised store (a logo of their brand). This is an artifact of skimming code that’s been observed\r\npublicly and that we refer to as Google loop.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 91 of 103\n\nHowever, nothing else so far from this code indicates any kind of web skimming activity. All we have is\r\nJavaScript that loads a remote favicon file and appears to parse some data as well.\r\nThis is where things get interesting. We can see a field called ‘Copyright’ from which data is getting loaded.\r\nAttackers are using the Copyright metadata field of this image to load their web skimmer. Using an EXIF viewer,\r\nwe can now see JavaScript code has been injected:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 92 of 103\n\nThe abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a\r\ncredit card skimmer.\r\nThe presence of an eval is a sign that code is meant to be executed. We can also see that the malware authors have\r\nobfuscated it. An archive of this script can be found here.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 93 of 103\n\nSkimmer exfiltrates data as an image\r\nThe initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3)\r\nusing an tag, and specifically via the onerror event.\r\nAs with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their\r\nname, billing address and credit card details. It encodes those using Base64 and then reverses that string.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 94 of 103\n\nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 95 of 103\n\nThe threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the\r\nfavicon.ico file.\r\nSkimmer toolkit found in the open\r\nWe were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open\r\ndirectory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic,\r\nwhile other files are used as supporting libraries.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 96 of 103\n\nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\r\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 97 of 103\n\nThe JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with\r\nwhat we saw on the client-side.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 98 of 103\n\nConnections to other skimmers, Magecart group 9\r\nBased on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier\r\nversion of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in\r\nthe more recent case we found, but the same core features, such as loading JavaScript via the Copyright field\r\n(metadata of an image file), exist.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 99 of 103\n\nWe also can connect this threat actor to another skimming script based on the registrant’s email\r\n(rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer\r\ncode which looks much more elaborate and does not appear to have much in common with the other two\r\nJavaScript pieces (archive here).\r\nWhile debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the\r\nfirst skimmer (see Figure), although it might very well just be a coincidence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 100 of 103\n\nThe data exfiltration is quite different too. While the content-type is an image again, this time we see a GET\r\nrequest where the stolen data is Base64 encoded only, and passed as a URL parameter instead.\r\nFinally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a\r\ndomain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same\r\nregistrar, and was registered within a week of magerates[.]com.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 101 of 103\n\nMagerates[.]com is registered under newserf@mail.ru, which also has other skimmer domains, and in particular\r\nseveral used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to\r\nMagecart Group 9, originally disclosed by Yonathan Klijnsma .\r\nTracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations\r\nof skimming scripts based off toolkits or that are completely custom.\r\nWe continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of\r\nothers.\r\nIndicators of Compromise\r\nEXIF skimmers\r\ncddn[.]site\r\nmagentorates[.]com\r\npixasbay[.]com\r\nlebs[.]site\r\nbestcdnforbusiness[.]com\r\napilivechat[.]com\r\nundecoveria[.]com\r\nwosus[.]site\r\nOlder EXIF skimmer\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 102 of 103\n\njqueryanalise[.]xyz\r\njquery-analitycs[.]com\r\nSkimmer #3\r\nxciy[.]net\r\nyxxi[.]net\r\ncxizi[.]net\r\nyzxi[.]net\r\nOther skimmers\r\nsonol[.]site\r\nwebtrans[.]site\r\nkoinweb[.]site\r\nxoet[.]site\r\nads-fbstatistic[.]com\r\nbizrateservices[.]com\r\ntowbarchat[.]com\r\nteamsystems[.]info\r\nj-queries[.]com\r\nRegistrant emails\r\nanya.barber56@gmail[.]com\r\nsmithlatrice100@yahoo[.]com\r\nrotrnberg.s4715@gmail[.]com\r\nnewserf@mail[.]ru\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-fil\r\nes/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/\r\nPage 103 of 103\n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 21 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 29 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/      \nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\n   Page 36 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 38 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/      \nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\n   Page 46 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 48 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/      \nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\n   Page 57 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 59 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/      \nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\n   Page 69 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 71 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/      \nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\n   Page 82 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 84 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/      \nIt comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:\n   Page 95 of 103   \n\n https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/     \nThis shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There\nare some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.\n   Page 97 of 103",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/"
	],
	"report_names": [
		"web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d588e4f8a7cf4710325233b4dc129bd5c975811.pdf",
		"text": "https://archive.orkl.eu/5d588e4f8a7cf4710325233b4dc129bd5c975811.txt",
		"img": "https://archive.orkl.eu/5d588e4f8a7cf4710325233b4dc129bd5c975811.jpg"
	}
}