Hiding Malware in Social Media Buttons

Clever tactic:

This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container.

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

This tactic increases the chances of avoiding detection even if one of the two malware components is found since the malware loader is not necessarily stored within the same location as the skimmer payload and their true purpose might evade superficial analysis.

Tags: , , ,

Posted on December 7, 2020 at 6:32 AM18 Comments

Comments

Alan December 7, 2020 9:28 AM

This is yet another great example of why you should never include any third-party scripts on payment pages. Logins should probably apply too. CSP can help with stuff like this, but people need to be more careful implementing sensitive web pages. It’s really not that hard, but it seems most small e-commerce sites have no concept of security.

anonymous December 7, 2020 9:40 AM

Fortunately, there are NoScript and Ublock Origin browser add-ons to kill social media malevolence in its tracks.

Andreas December 7, 2020 10:53 AM

And it shows again that adblockers, scriptblockers and alike are an important safety feature when using websites.

Besides that some sites are simply not usable without them, some are even dangerous.
And i am not talking about dubious websites in the first place.

David December 7, 2020 10:56 AM

+1 for NoScript, but using a regex-based DNS blocker is helpful too. Some sites don’t use DNS, so network blocking without huge lists of subnets is much less practical.

Running browsers inside confinement like firejail –private for untrusted sites is another mitigation. That option prevents any storage from being touched with any browser leaked stuff.

SpaceLifeForm December 7, 2020 2:45 PM

Besides uBlock Origin and Privacy Badger, one may also want to check out Decentraleyes.

xcv December 8, 2020 2:05 AM

Hiding Malware in Social Media Buttons

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

  • The ballot box is full.
  • No more votes are being accepted at this time.
  • The cops want social media on all U.S. subjects.
  • Social media is for socialists.

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

  • That would be “anti-social” and greedy to refuse to share your credit card. ‘Tis the season, you know.
  • If you’re such an “anti-social” privacy freak that you refuse to share your financial information online in a sociable manner, there’s a psychiatrist on call with an emergency mental evaluation and a civil commitment for psychopaths like you who are incompetent to manage their own money.

Winter December 8, 2020 4:12 AM

@xcv moderator
“The ballot box is full.”

It seems this comment has been posted in the wrong page.

Also, xcv seem to have lost his grip on reality after his idol lost the elections.

1&1~=Umm December 8, 2020 5:21 AM

@Winter:

“Also, xcv seem to have lost his…”

If you go back through XCV’s postings under that handle and earlier ones, I think you will find you’ve used the wrong gender pronoun.

Winter December 8, 2020 5:49 AM

@xcv (&1&1…)
“If you go back through XCV’s postings under that handle and earlier ones, I think you will find you’ve used the wrong gender pronoun.”

I must apologize for this error. I should have been more careful in my choice of words.

Correction, in case xcv is indeed a woman:
“Also, xcv seem to have lost her grip on reality after her idol lost the elections.”

RealFakeNews December 8, 2020 7:22 AM

> A separate decoder deployed separately somewhere on the e-commerce site’s server

So the web server was already compromised “enough” to drop payloads?

When will these web idiots learn to secure their systems?

I’d suggest the compromised script was the least of the problem in this attack.

If a decoder can’t be detected as “out of place” then something is seriously wrong with the entire sys admin.

WmG December 8, 2020 6:29 PM

@Winter @1&1
Pronouns are hard. Gender, plural or singular.

“Their” is seeing a recurrence of usage. And could indicate a plural status, in this case perhaps, due to multiple personality disorder.

Clive Robinson December 9, 2020 2:14 AM

@ WmG, ALL,

“Their” is seeing a recurrence of usage.

And it quickly sounds as bonkers as talking about your self currently from the third party perspective. Which is why we try to avoid doing it.

You might remember a few weeks back @Bruce posted about an informal piece by Matt Blaze on a failing in an OTP system used by a Russian Numbers station in Cuba.

Somebody posted an invitation to talk, but they only used their last name, so gender was unknown. Some people take offence if you use the wrong gender and some dislike the “Their” style intently when they are the subject of it.

So like any sensible person I did a web search to see if I could narrow things down, which I did in a couple of simple searches first pages.

This apparently caused the person to think I was spying on them…

The moral is you are going to put your foot in it one way or another, when people do not provide gender indicating information. It’s also a game you can not win with some people who take umbrage at you getting their gender wrong, even though they have provided no clues as to what their gender is[1]. You not guessing is your fault, your not guessing correctly is your fault, it’s “not their fault” and they are going to make you feel their wrath by belitteling you in as many ways as they can to show their moral superiority. In essence you get diagnosed with the gender of “Stale, White, Male, Intolerant, Imbecile” which I guess is better than some other options 😉

[1] The real answer is there are more gender identities than 50 Shades of Grey. The problem is that “gender” has been “overloaded”. When I was young gender was a polite way of enquiring about a persons biological sex, and if they did not give it it you went down the “Dear Sir” route. However the “Dear Sir” route ruffled feathers as did the Mrs/Miss issue that gave us Ms starting four or five decades ago. Now your sex is defined not just by biology but, Gender identity / expression / presentation / orientation at the very least and none of those are binary choices so just adding “neutral” gives 3^5 = 243 options to pick from, lets just say “spectrum(s)” and be done with it because there are not enough words to cover them all.

WmG December 9, 2020 11:55 AM

@Clive Robinson

Well, yes. All of the issues you discuss are at work, making our times more “interesting.” And lowering s/n, as you suggest.

My remark was rather under-specified, for which I apologize.

I had been referring to “their” as an arguably correct personal pronoun for someone who has Multiple Personality Disorder.

The old joke comes to mind of the multiple personality disorder support group, which had thirty members, when six physical humans were present.

Clive Robinson December 9, 2020 12:45 PM

@ WmG,

I had been referring to “their” as an arguably correct personal pronoun…

There is the “nurse issue” not with the possesive pronoun but where they say to a patient “Are we feeling well this morning?”

To which I thought there were realy only two replies,

“I don’t know about you but my XXX is keeping me here”

Or,

“Me and my parasites are getting along fine”

But apparently the list of “we’s” for many years included
“Heads of State, Editors (who think they are heads of state) and people with tapeworms…

But about 70years ago the list got updated,

A person with a mouse in his or her pocket
A king, queen, emperor, or president
A pregnant woman
A newspaper or magazine editor
A person with a tapeworm
A schizophrenic individual

I guess conjoined twins could be added as well.

WmG December 9, 2020 2:11 PM

@Clive Robinson

As a US guy, I was always puzzled by the royal we, and inclined to dislike it. The editorial we, we seem to be stuck with. Then there are the senior scientists who refer to the “work we did on….” which seems to be the rare case of implicit credit sharing for team work done.

Canadian radio broadcaster Allan McFee was the only person I knew of who kept the company of a mouse in his pocket, “the small gray presence.”

https://en.wikipedia.org/wiki/Allan_McFee

Chad Ostreicher December 14, 2020 1:36 AM

I agree with no script on payment pages, but this is pretty wild! Hackers are getting cleverer and cleverer, and it is getting damn near impossible to stay ahead or even keep up.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.