Credit Card Skimmers Can Hide in an Icon’s Metadata

Photo: Justin Sullivan, Getty Images
Photo: Justin Sullivan, Getty Images

In the midst of a news cycle filled with stories of the chaotic global pandemic and mass civil unrest raging around us right now, I personally find solace in stories about the constants we can rely on: Stories of brands continuing to show their arse on social media. Stories about budged art restorations continuing to be borked. And, of course, stories of scammers continuing to find new ways to scam.

The latest trick, uncovered by the security firm Malwarebytes, is sneaking credit card-skimming malware into the metadata of a given image file, which can then be loaded onto the webpage of a hacked ecommerce store with the shopper none the wiser — that is, until they notice someone else using their credit card. The malware in question here, Magecart, has been caught in more than a few credit card-skimming schemes before now, but this is the first time that it’s been caught hiding behind a site’s favicon — another name for those little icons that can show up in the address bar of a given site.

The particular offending icon that the Malwarebytes team stumbled upon came from a WordPress site running a plugin for the popular online-shopping service WooCommerce. The shop in question had clearly been compromised, and, as they discovered, a nugget of credit-skimming tech was buried deep within the site’s favicon, a logo of their particular brand.

When that image file loads up, according to the team, it grabs the content that a shopper might input when checking out — their name, their billing or shipping address, and, of course, their credit card number.

It’s tricky to track down where this sort of malware might be hiding in a given online store — especially if you’re not a cybersecurity researcher. While this particular instance used a favicon to hide the malware, it could theoretically be hidden in any image on a given page. That said, there are still some easy ways you can keep your intel under wraps. Onboarding some sort of sketchy as hell, you might be better off taking your business elsewhere.