You will also be interested
[EN VIDÉO] What is a cyberattack? With the development of the Internet and the cloud, cyberattacks are becoming more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the methods of hackers and what are the most massive cyberattacks?
The injection of code to steal bank details on merchant sites, or skimming in English, is nothing new. However, as with all threats on the web, the authors are constantly improving their tools to stay one step ahead of cybersecurity specialists. According to a new Microsoft reporthackers have developed new techniques to hide their code and avoid detection.
Initially, the pirate were targeting flaws in platforms like Magent, PrestaShop or WordPress, and were content to inject JavaScript. One of the best-known attacks of this kind is Magecartdetected for the first time in 2010 and which caused a stir during a new vague attacks in 2019. While new techniques still require a loophole to inject data into the server, JavaScript code is no longer left in evidence.
Malicious code in an image
The first technique is to pass the code off as something else. Microsoft has notably detected JavaScriptencoded in base 64 in code PHP, itself embedded in an image. In one case the authors used the favicon (theicon of the site displayed in the address bar or on the bookmarks), in another case they used a simple image. All they had to do was add the PHP include() function to the index page of the site, an addition that would go unnoticed.
In both cases, the PHP script checks the page address for the terms ” check out ” and ” onepage », which correspond to the payment page of the Magento platform. It also checks the Cookies to ensure that the user is not an administrator. Once done, it decodes the JavaScript script that will display a fake payment form and then send the data to an external server.
Masked addresses by encoding them in base 64
The second technique adds four lines of JavaScript to the page. In the same way, the script only launches on a page whose address contains the term ” check out ”, the keyword being encoded in base 64 in the script to go unnoticed. It then downloads another script hosted on an external server, whose address is encoded in base 64 and divided into several groups of concatenated characters. This script ensures that the developer tools of the Navigator are not opened, and saves the payment form data in an image, which is sent to an external address.
Finally, for the third technique, the Pirates pass off their script as an official audience analysis script Google Analytics or Meta Pixel. Again, the authors added a simple script that downloads a second script from an external server, and used base-64 encoding to hide the address.
The common point between all these techniques is the use of character strings in base 64, and in particular the JavaScript function atob() to decode them. This can help developers spot infected sites. On the other hand, it is difficult for Internet users to defend themselves against this type of attack, except by using methods such as single-use virtual bank cards. For site administrators, Microsoft recommends checking that their content management system (CMS) and all extensions are up to date.
Interested in what you just read?