Credit card data stealing malware concealed in social media sharing buttons

Cybersecurity experts have recently discovered web skimming malware that is capable of injecting payment card skimmers scripts into compromised eCommerce stores. The creators of this malware use malicious payloads concealed as social media buttons that replicate leading platforms including Facebook, Twitter, and Instagram.

These skimmers are JavaScript-based scripts injected via Magecart cybercrime groups in the checkout pages of compromised online stores. Once loaded, the scripts work automatically to harvest personal and bank information submitted by customers into their own servers.

These findings were revealed by researchers at Dutch cyber-security company Sansec that works to protect eCommerce websites from digital skimming or Magecart attacks.

According to their investigation, the payment skimmer malware uses a double payload structure where the source of the skimmer script is hidden in social sharing icons. These are loaded as an HTML 'svg' element with a 'path' element as a container.

The syntax for the skimmers social media button perfectly replicates the ‘svg’ element named using social media platform names - facebook_full, twitter_full, instagram_full, youtube_full, etc.

A separate decoder is also deployed somewhere on the eCommerce website to extract and execute the code of the hidden credit card stealer.

This way the hackers minimize the risk of getting caught and is able to complete its ‘illegal’ tactics successfully.

Photo: Enes Evren / Getty Images

Read next: Google Chrome Introduces Password Warnings to Safety Check
Previous Post Next Post