Crims cram credit card details into product shots on e-shops Hackers are going to considerable lengths to hide credit cards stolen from websites victimised in a wave of recent attacks, weaving the data into working images of products sold online. The tricks are part of a wave of attacks targeting some 6000 Magento e-commerce sites The Register reported last week. Sucuri remediation …
So they manage to drop nasty bits o'code into your sausage grinding server, and wait to pluck out the juicy bits as the handle cranks the credit cards through. Their code caches the tasty morsels in a place they can reach any time they want, just by accessing the sales catalog. They *don't* have to re-access the server via the original networking backdoor (and which might leave tracks to trace back) since they've probably closed up the original vulnerability anyway cuz competition from other baddies.
A single access to break in, drop code and clean up tracks. Then they re-sample at will retrieving the latest data using plain and anonymous public web access. I am in awe. I'm off to go hide under the covers and wait for the cold sweats...
The article takes a slightly breathless tone as if this is novel, or brilliantly clever. But Reg readers will know that steganography is a technique older than computers, and a well-flogged horse in the crypto world.
So I can only assume this is news because in this case some crims are doing it to nick card data?
Because as sure as Yahoo is a Dead Brand Walking, black hats have been using steganography for all sorts of dirty deeds for at least a decade.
Feels like news to me. Sure it's not the most cunning of tricks - once you know it. I did not know that you can append random data to the end of a .jpg and the image is unaffected. I do know now. Obviously a sign of you've been hacked is unexpected changes to files on your system by unknown users but this is a change made by your own systems, harder to spot in logs.
You might also scan your logs looking for your systems unexpectedly making tweets or sending emails to check for signs of exfiltration. This method would see your data going out the door and the logs would look perfectly normal. Would you notice an outgoing product image increase in size slightly? I would today, perhaps not yesterday.
Several years ago a university in Ohio noticed that the image file of their football team picture kept getting bigger and bigger and it was causing slow downloads. They thought it was corrupt so they replaced it and it happened again. Then they got wise and called in the techies. The same server was used for student fees and the malware was writing the card data to the football team picture using steganogaphy. They did have tight egress controls on the web server so this was a way to exfiltrate the data. Literally everyone who visited the page and saw the image of the football team was now in possession of stolen card numbers.
This is not a new technique, but it is not one that is well publicized, often used, or at least not caught very often. It offers some advantages as listed above in that it requires a one time only access to plant the code, the exfiltration makes use of the company's own resources and tracing the black hats becomes much more difficult as they have left fewer virtual breadcrumbs to follow. While it might not be new, the fact that we are reading about it now probably indicates that its use in the wild is on the upswing.
I don't understand the tone of a lot of the comments in this article. Yes, steganography is ancient. But so is adding numbers together and yet I don't see articles on the unveiling of a new piece of hardware littered with comments saying "Yeah, but it just adds numbers, people have been adding numbers together since at least the late 70's."
I didn't know you could append data to a jpg so simply and retain both the data and the image, and to my mind, this latest piece of work is a piece of minor genius. No need to leave a backdoor in the system, or risk getting traced when you try to get the data out, just wait for the serve it up to you while browsing. You could even just use a command-line daemon to pull the images and automate the whole process.
It may not be a new idea, even the specific application of doctored jpgs may be old news, but it's a fucking clever implementation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
