1/3 November 26, 2020 Payment skimmer hides in social media buttons sansec.io/research/svg-malware 26th November 2020 Web Skimming / Sansec Threat Research Learn about new eCommerce hacks? Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store. What is Magecart? Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time? About Magecart https://sansec.io/research/svg-malware https://sansec.io/research https://sansec.io/what-is-magecart 2/3 Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout pages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads the payload and executes the concealed code. While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax. The malicious payload assumes the form of an html element, using the element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the element. To complete the illusion of the image being benign, the malware’s creator has named it after a trusted social media company. Further investigation has revealed there are at least six major names being used: google_full facebook_full twitter_full instagram_full youtube_full pinterest_full Steganography The second part of the malware is a decoder that interprets & executes the payload. Below is a beautified version: 3/3 It is worth noting that the decoder does not have to be injected in the same location as the payload. This adds to it’s concealment, as finding only one of the parts, one might not deduce the true purpose of a slightly strangely formatted svg. An attacker can of course conceal any payload with this technique. Samples taken by Sansec revealed payment skimming as the true purpose of the malware injections. Possible Test Run? In June 2020 a similar malware was detected by Sansec, using the same technique. This malware was not as sophisticated and was only detected on 9 sites on a single day. Of these 9 infected sites, only 1 had functional malware. The 8 remaining sites all missed one of the two components, rendering the malware useless. After the discovery of this new and more sophisticated malware, the question arises if the June injections could have been the creator running a test to see how well their new creation would fare. This new malware was first found on live sites in mid-September. data-size="large" > Follow @sansecio Stay ahead of eCommerce hacks, protect your store today! Sansec forensic experts were the first to document large scale digital skimming in 2015. Since then, we have investigated thousands of hacked stores. Our research of the latest attack vectors protects our customers around the world. Our anti-skimming technology and data are used by merchants, forensic investigators, financial anti-fraud teams and service providers Try our malware scanner https://twitter.com/sansecio https://sansec.io/ecomscan