Beware! New Steganography-based credit card readers target online retail shops.


  • As per a report by Malwarebytes Lab, a new credit card skimmer is spotted, and the victims are the online retail shops.
  • Web crawlers and scanners focus on HTML and JavaScript and look through media files.
  • Cyber criminals are making use of WebSockets to create a secret way to exchange data that is not a usual HTTP request-response.

Steganography has been used by malware authors to hide malicious data with the help of legitimate-looking images, and now it is being misused by cybercriminals to spread credit card skimmers.

More on the matter

Basically, when a user looks at these images with naked eyes, they completely resemble the free shipping ribbon that commonly appears on the shopping sites. But a closer look of the image reveals JavaScript code that is suffixed at the end of the file maker.

Furthermore, researchers discovered that “all compromised sites were spotted using a Steganographic skimmer that had similar code snippets, especially after the footer element or Google Tag Manager (GTM) to be able to load bogus images and parse its JavaScript content via the slice() method.

Here comes the twist

Researchers explain, “Threat actors are deploying WebSockets to provide a more mysterious way to exchange data. However, cybercriminals don’t have to load new WebSockets that are likely to be detected in the DOM.

Researchers also mention that here the threat actors were smart enough to confuse by writing the code with precision to blend seamlessly.

Now the objective is to secure a connection to the server that is controlled by criminals over a WebSocket. And literally a handshake is enough to carry out the fraud.


Because when a malicious JavaScript code runs in the browser, it prompts a handshake request. Once this is done, it triggers a series of bidirectional messages to be exchanged between the target’s browser and the malicious host.