According to researchers, the malware hides behind icons from top networks such as Facebook, Instagram, Twitter, Google, YouTube, and Pinterest.
Skimming attacks have lately been on the rise with entirely new pieces of malware coming out and even new variants of existing ones. This makes sense since they are very lucrative offering attackers a suitable way to steal payment information.
In the latest, a new type of attack has been discovered by cybersecurity company Sancec which consists of multiple components comprising a payload and a decoder.
See: Attackers successfully hide Mac malware in ad images
The method focuses on injecting the malicious payload into images of social media icons that are usually available on websites for users to easily share the page’s content. These icons are of famous networks such as:
Facebook
Instagram
Twitter
Google
YouTube
Pinterest
The fact that such tech giants are involved makes it very difficult for a malware scanner to detect any suspicious code. Explaining, the researchers state in their blog post that,
The malicious payload assumes the form of an html <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element. To complete the illusion of the image being benign, the malware’s creator has named it after a trusted social media company.
However, for the malicious code to be executed, the presence of a “decoder” is necessary – not at the same location as the payload itself though helping it hide even better:
Yet, according to Sansec, this isn’t the first time they have come across this type of malware that could steal payment information this way.
In June earlier this year, they reported finding a similar malware present in 9 different sites but what differentiated those from this case was that 8 of those sites only had 1 component of the malware making its execution impossible.
Currently, though, the threat looks far more severe. Nevertheless, for the future, we could say things are getting pretty complex and we can only look towards such security companies to constantly update their solutions to guard websites and applications.
Moreover, we should live with the maxim that absolutely anything can be a malicious object, even a plain text file.
