Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection.
“One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion,” Sucuri Security Analyst, Ben Martin, said in a write-up. “These can later be downloaded using a simple GET request at a later date.”
Sucuri attributed the attack to Magecart Group 7 based on overlaps in the tactics, techniques, and procedures (TTPs) adopted by the threat actor.
In one instance of a Magento e-commerce website infection investigated by the GoDaddy-owned security company, it was found that the skimmer was inserted in one of the PHP files involved in the…