A new form of malware has been identified hidden inside sharing icons for social media, capable of stealing shoppers’ credit card details.

The new threat uncovered involves web skimming malicious software. It can remain invisible while inserting skimmer scripts on compromised online shops, and obtain payment card numbers and other personal information. The insidious developers behind the malware are injecting social media buttons with concealed code, replicating the most popular platforms including Instagram, Twitter and Facebook.

So-called “Magecart” threat operators inject JavaScript type code to skim credit cards on the online stores’ checkout pages. After the script has been positioned on target sites, it will automatically collect both personal and payment data entered by online shoppers and exfiltrate it to the cybercriminal group’s servers.

Unique techniques for avoiding detection

The new strain of malware was uncovered by research analysts at Sansec, a Dutch cybersecurity firm that specialises in protecting e-commerce sites from Magecart or digital skimming attacks. The malicious skimming software employs an ingenious structure that involves a double payload. The skimmer script source code that steals credit cards details is hidden inside the social media sharing icon and is loaded as a scalable vector graphic (svg) in HTML, inside a path element container.

To make it appear as an authentic social media button, the phrasing for concealing the source code imitates an svg file perfectly, employing names used by social media platforms, such as twitter_full, facebook_full, Instagram_full etc. An individual decoder is also planted separately on the online store’s server and works to both execute and extract code for and from the concealed payment card stealer.

This strategy raises the probability of the hackers evading detection, because should one of the malware components be identified, the other may not be found as it is located separately. Additionally, without discovering both components, the real purpose behind the malware may slip past a surface investigation.

A sign of skimming tactics to come

While the recently discovered threat is not the only time cybercriminals have used image files and icons to conceal credit card skimming code, this new malware is unique in the way it employs an image that is “perfectly valid”.

Expert researchers at Sansec, commented:

“The result is that security scanners can no longer find malware just by testing for valid syntax.”

Malware that closely resembled this newly discovered danger was originally identified in action earlier this year in June, employing this inventive loading method. However, it was not as complex in terms of design or as effective

Sansec added:

“This malware was not as sophisticated and was only detected on nine sites on a single day. Of these nine infected sites, only one had functional malware. The eight remaining sites all missed one of the two components, rendering the malware useless.”

The security researchers have advised caution, suggesting that the payment skimmer samples that were only partially functioning may have been tests of this fully operational edition of the malware that has now been uncovered.