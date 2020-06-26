This has been revealed by a report prepared by Malwarebytes, where a store that used a WordPress plugin called WooCommerce was infected with a Magecart script to steal cards. Magecart’s attacks consist of just that: inject malicious JavaScript on a website to steal payment information from users in the purchase process.

They hide the malicious code inside a favicon

What differentiates this attack from others already known is that the script was not injected directly into the web code, but into the EXIF metadata from a web favicon. In the metadata, information such as the creator of the file, the date of creation or the camera or PC where the photo was created or processed is usually stored. However, the Copyright part of the icon metadata included the malicious JavaScript code, as we can see in the following image:

Once the script was executed in a user’s browser, any credit card information entered in the purchase process was sent back to the attackers to do whatever they wanted with it. The group that has been associated with this attack is the one baptized as «Magecart Group 9«.

The data that was sent back was also hidden in images

Another dangerous point of this attack is that the favicon was hosted on an external domain, so a security analysis of the sales website would not have produced any alerts. Thus, they received information such as the name or the shipping address of the order placed, and everything was re-entered in images through POST requests, making it even more difficult to detect the sending of information to a server controlled by hackers.

This is not the first time that a malicious WordPress plugin has been involved in such attacks. A few months ago, a bug was also discovered in WooCommerce that allowed attackers to run XSS loads to create accounts with administrator permissions on vulnerable domains. Therefore, we strongly recommend that you do not use this plugin.