Novel Online Shopping Malware Hides in Social-Media Buttons

skimmer malware social media

The skimmer steals credit-card data, using steganography to hide in plain sight in seemingly benign images.

A payment card-skimming malware that hides inside social-media buttons is making the rounds, compromising online stores as the holiday shopping season gets underway.

According to researchers at Sansec, the skimmer hides in fake social-media buttons, purporting to allow sharing on Facebook, Twitter and Instagram. Cyberattackers are gaining access to websites’ code, and then placing the fake buttons on checkout and e-commerce pages.

As for the initial infection vector, “We have found various root causes (password interception, unpatched vulnerabilities etc.), so we suspect that the attackers are gathering victims from different sources,” Willem de Groot, founder at Sansec, told Threatpost.

Once ensconced on the page, the malware behaves just like the widespread Magecart group of skimmers, with the code being parsed and run by a shopper’s PC in order to harvest payment cards and any other information entered into a site’s online fields, he added.

Flying Under the Radar

The imposter buttons look just like the legitimate social-sharing buttons found on untold numbers of websites, and are unlikely to trigger any concern from website visitors, according to Sansec. Perhaps more interestingly, the malware’s operators also took great pains to make the code itself for the buttons to look as normal and harmless as possible, to avoid being flagged by security solutions.

“While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image,” according to Sansec’s recent posting. “The malicious payload assumes the form of an html <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element.”

To complete the illusion of the image being benign, the malicious payloads are named after legitimate companies. The researchers found at least six major names being used for the payloads to lend legitimacy: facebook_full; google_full; instagram_full; pinterest_full; twitter_full; and youtube_full.

The result of all of this is that security scanners can no longer find malware just by testing for valid syntax.

“Because it hides in legitimate-seeming files, it successfully dodges malware monitors and corporate firewalls. It is the next step by adversaries to stay under the radar, and quite successfully so,” de Groot told Threatpost.

Adding a further element of sneakiness, the malware consists of two parts: The payload code itself, and a decoder, which reads the payload and executes it. Critically, the decoder doesn’t have to be injected into the same location as the payload.

“Vulnerability scanners will not know to put the two puzzle pieces together and will miss this type of an attack,” Ameet Naik, security evangelist at PerimeterX, told Threatpost. “These attacks also leave no signature on the server side of the website, where all the security monitoring tools are. Hence the website administrators also typically have no indication that this happened.”

No interaction is necessary to activate the skimming.

“In case of this particular attack, the buttons are merely used to deliver the coded payload,” Naik added. “The user doesn’t need to click on the buttons to activate the attack. The ‘decoder ring’ is another innocent looking JavaScript injected into the website that turns the coded payload into malicious executable code.”

Chloé Messdaghi, vice president of strategy at Point3 Security, noted that website owners might miss the rogue elements as well, and not pick up that previously nonexistent social-media buttons are suddenly present on a page.

“These types of attacks will continue to succeed because even the most major online brands use code and plugins developed by third-, fourth- or even fifth-party [organizations], so there’s no centralized ownership of and responsibility for what’s authentic and what’s not,” she said via email.

She added, “until every retailer from largest to smallest realizes that their transaction websites are ‘Franken-sites’ made up of third-party pieces, and they become scrupulous about thoroughly and continually monitoring their sites, these attacks will only become more frequent and successful.”

More Pain to Come?

Sansec has found 37 stores to date infected with the malware, de Groot told Threatpost, but worse campaigns could be on the horizon.

“An attacker can of course conceal any payload with this technique,” according to the analysis.

The actors behind the malware have sown patience in their development cycle. In June, Sansec detected a similar malware that used the same technique, but the campaign appeared to be a test run.

“This malware was not as sophisticated and was only detected on nine sites on a single day,” the post read. “Of these nine infected sites, only one had functional malware. The eight remaining sites all missed one of the two components, rendering the malware useless. The question arises if the June injections could have been the creator running a test to see how well their new creation would fare.”

The second version of the malware was first found on live sites in mid-September.


Active script monitoring for the client-side is one way to catch a stealthy problem like this, researchers said.

“The goal here is twofold,” Naik said. “First, the attackers want the visible elements on the page to seem innocuous so that consumers don’t suspect anything. And secondly, they want the code for these buttons to look harmless as well so that security scanners don’t flag it as a threat. However, runtime client-side application security solutions that actively monitor the scripts executing on the shoppers browser will detect the changes to the page and flag any suspicious communication with external domains.”

Meanwhile, vendors will need to add to their product functionality, according to de Groot.

“Going forward, we suspect that most security vendors will ensure that their products are capable of SVG parsing,” he said.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles