Online criminals continue to target web stores with credit card information skimmers as these represent rich and easy pickings, according to Malwarebytes' director of threat intelligence Jérôme Segura.
Segura told iTnews the security vendor is seeing about a dozen online stores a day getting hacked, with a payments details stealing skimmer added.
It recently discovered a compromised merchant site that uses the popular WooCommerce plugin for Wordpress that had malicious code appended to a legitimate script.
Analysing the code, Malwarebytes found that the site would load favicon.ico file with the merchant's logo from a server hosted on a company with a United Arab Emirates physical address.
Malwarebytes analysts found skimmer Javascript code inserted into the metadata headers for the favicon.ico image file.
This is not the first time malicious code has been injected into header fields in image files, but Malwarebytes believes it's the first time the technique has been used to deploy a skimmer.
Once the Javascript had executed and captured user payment form data such as name, billing address and credit card details, it would encode the stolen information with Base64 and send the data to the criminals as an image file.
A complete skimmer toolkit was left by the criminals on a compromised host and found by Malwarebytes which examined it and found connections to a Magecart group.
Magecart is skimmer malware that has targeted Adobe's Magento e-commerce software over the past few years.
Segura said that regardless of the content management system (CMS) being used, proper patch management and hardening is necessary.
"Most incidents occur because a known vulnerability is found and exploited," Segura said.
Big brands and small stores are being hit by the hackers, with most activity being in the United States but other contries are also affected, Malwarebytes has found.
The attacks are financially motivated with mostly automated scans being used to identify vulnerable sites, Segura explained.
"We’ve heard about websites getting hacked for years and with various intents.
"Credit card skimming is probably one of the most lucrative schemes right now, so attackers are spending more efforts and attention on e-commerce sites instead of other CMS platforms," he said.
