Hackers are hiding virtual credit card skimmers in image file metadata

They're using a vulnerability in a WordPress plugin.

alexialex via Getty Images

Lots of people know to check ATMs and gas station credit card readers for skimmers, but it’s harder to tell when virtual ones are hidden them in websites’ payment portals. According to research from Malwarebytes, hackers put Magecart JavaScript code into the EXIF metadata of image files, which is then loaded and executed by compromised stores. Hiding malicious code inside of images is nothing new, but it’s the first time security researchers have seen them used to obscure credit card skimmers.

A recent trend among hackers has been to hide malicious code in favicons -- those icons you see in the corner of a browser tab. Malwarebytes says that it first assumed the exploit it was researching was a variation on this type of attack, but further analysis revealed it was something else entirely. The company found that the malicious code was loaded via the WooCommerce plugin for WordPress. This is an increasingly popular target among hackers, thanks to its wide market share. When loaded, it grabs payment information, such as the customer’s name, address and credit card details.

This is an important reminder that malware can be hidden anywhere. And with the ubiquity of JavaScript code, just about any device can be exploited if the proper precautions aren’t taken.