Credit Card Stealer Malware Found in Social Media Buttons

Experts from Dutch cybersecurity company Sanguine Security (SanSec) found that a credit card skimming malware has been used in various social media sharing buttons. The malware is designed to steal and mind credit card information used in various online stores, reports ZD Net.

The malware is known as a web skimmer called a Magecart Script. According to Bleeping Computer, these types of scripts are JavaScript-based and these are made by Magecart cybercrime groups in various e-commerce websites.

As these Magecart skimmers are inserted into the target online stores, the credit card stealer scripts work by mining the payment information keyed in by the customers in question. Besides credit card details, customers’ personal information are also harvested by the scripts, all of these being placed under servers controlled by the threat actors, states Bleeping Computer.

Malware Found in Social Media Buttons

The skimmers are hidden via an SVG file, which Bleeping Computer states are an image file designed to mask the source code under the social media sharing buttons. The syntax for the code report is hidden in plain sight as it mirrors an SVG with social media names as part of the file name.

In a blog post shared by Sanguine Security in a report dated November 26, 2020, they said that “While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax.”

Based on the findings made by the Dutch cybersecurity firm, the web skimmer was first found on online stores somewhere around June and September 2020. Among the icons that contain the malicious payload inside it are Facebook, Google, Instagram, Pinterest, Twitter, and YouTube.

The security researchers from SanSec also said that June marked the first time this ‘innovative’ technique was found. However, researchers said that this “was not as sophisticated,” leading the experts to believe that the MageCart threat actors only used this as part of a trial run.

According to SanSec, the malware was only found in nine e-commerce websites in one day, with only one of these websites successfully containing a fully functioning credit card stealer skimmer. After the trial period, the researchers found the malware again in September, this time on different live websites.

Following these types of incidents, ZD Net states that the best course of action to avoid web skimming attacks is to use virtual credit cards designed for unique transactions. This prevents attackers from obtaining personal and financial details.