Foregenix, the information security specialists, have identified a worrying new trend of obfuscated code containing malware being placed (hidden) on merchant’s web sites. Designed to harvest payment card details, the malware takes an unusual approach to stealing the information.
Foregenix are warning that this malware could be currently hiding in web sites without businesses even being aware of it; leaving them open to embarrassing and costly data breaches.
Hackers are using a script which uses several layers of encoding (binary XOR and text based base64), compression and function lookup tables to protect or hide the internal workings of the malware. The approach the attackers take makes it extremely easy to change the outer layers, thereby making it more difficult to detect in an automatic fashion, although it certainly is possible.
Within this malware is a dangerous new variation on the payment card harvesting attacks. Whereas it is fairly common to find the compromised data appended to an image file, making it easy to anonymously download – or email the compromised data to a temporary email address – this malware actually encrypts the payment details and puts it back in the local database.
The malware provides facilities to manage the table that the payment information is being saved to and also allows the attackers to download the data and purge the data from the database as and when they deem it necessary.
Benjamin Hosackof Foregenix issued advice to website owners and developers: “We strongly advise regular database reviews, checking for unusual or new tables that may be present. Regular and frequent reviews of the source of your site is also beneficial to detect compromised or modified files.