Hackers are going to considerable lengths to hide credit cards stolen from websites victimised in a wave of recent attacks, weaving the data into working images of products sold online.
The tricks are part of a wave of attacks targeting some 6000 Magento e-commerce sites The Register reported last week.
Sucuri remediation team lead Ben Martin found php code that pushed credit card numbers into images while examining one recently-compromised, but unnamed, site.
He says hackers have recently been using files with extensions associated with images as a means to hide credit card numbers. The credit card numbers did not use the data structures expected of an image, so the fake files could not be opened.
"Attackers use image files as an obfuscation technique to hide stolen details from the website owner [but] the image file usually doesn’t contain a real image," Martin says.
"If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack."
It would also be simple for an admin to figure out which image files are real, which are malformed, and decide the latter are worthless junk worthy only of deletion.
Hence Martin's surprise when, as his explorations continued, he found files hiding credit card numbers that are also properly-formed image files.
"What we found to be very peculiar in this case is that the image itself actually worked."
Dozens of cleartext credit cards were listed below the ordinary code, allowing attackers to simply download the image.
Attackers had gone so far as to hide credit cards in an image portraying a line of perfumes the hacked shop had sold, reducing the likelihood of raising suspicion.
The trick is clever because if criminals leave a cache of credit cards on a site, they must hope whatever trick they use to access the server remains viable. With data embedded in photos, crims need only go shopping, seek out products they know to have images laden with extra data and then Save Image to access their horde.
As The Register has reported, the attacks were as of last week increasing as new players attacked Magento-powered sites.
Some 85 shops were compromised each day in the wide-scale active operation which discoverer Willem de Groot says could lead to the breach of hundreds of thousands of credit cards. ®