Researchers at Malwarebytes broke this methodology by verifying an image that’s been infected with stealing code. The group which is most proficient in this technique is Magecart, where it infects most of the unaware e-commerce sites and steals data. Steganography is the process of doing this. Hackers hide/modify the image’s background JavaScript code to scrape the data needed.
Why Under Images?
Any crawler or scanners as antivirus softwares, scan the files like HTML and JavaScript codes and ignore images file as they take longer time to be studied. Thus, making them a viable option for hiding malicious code. While this being the safest mode to conduct their illegal activity, there’s always a way to find out how.
How To Find?
Analysing the malformed image under Hex Editor shows some extra data is added after the final segment. Strings such as onestepcheckout or authorizenet confirm these code being malicious and purposed for skimming. Malwarebytes result that most of the hacked sites were infected with steganographic images, implanting the code at either footer tags or Google Tag Manager. Moreover, attackers using WebSocket to communicate with hacker’s server makes them go even more undetected. Once the page was loaded, the infected JavaScript code behind activates and turns into an exfiltratator of sensitive card data and transferring it to hacker for further exploitation.