Credit Card Stealing Malware Found In Favicon EXIF Data

Updated on: June 29, 2020

Credit Card Stealing Malware Found In Favicon EXIF Data

Hackers are known to continually evolve their methods and find new ways to attack. Recently, there have been reports of hackers including information that could potentially be used to steal credit card details in websites’ favicon EXIF data.

This malware was originally found in an online store using the WordPress WooCommerce plugin. To know more about this type of hack and how to prevent it, read on.

What is the Favicon EXIF Data Credit Card Stealing Hack?

Recently, it was found that an online store using the WordPress WooCommerce plugin was infected with scripts designed to steal customer’s credit cards.

It is speculated that the hackers behind this attack belong to the group Magecart, which has been behind big hacks such as the recent attacks on Claire’s, Tupperware, and British Airways. You can read more about Magecart and their attacks here

The malicious scripts, interestingly, weren’t added directly to the site but were contained in the Exchangeable Image File Format (EXIF) data for a remote site’s favicon image.

EXIF data or metadata is information that’s embedded in a digital image, such as the artist who created it, information about the camera, geographical location where the picture was taken, and copyright information. 

In this particular instance, the malicious JavaScript code that was being used to capture data from payment forms was hidden in the copyright part of the EXIF data of favicons used in the website.

Once the favicon loads, scripts added to the site by the hackers would activate the malicious code in the image, which would in turn steal credit card information submitted on checkout pages and relayed to the hackers. 

How the credit card stealing malware in favicon EXIF data works

How can you prevent the Favicon EXIF Data Credit Card Stealing Hack?

A good way to ensure that you’re not vulnerable to such attacks is to use assets such as images, animations, and fonts from reputable sources. This way, you can ensure that there’s no malicious code in them. 

The only sure-fire way to prevent your site getting hacked and fend off most cyber attacks is to invest in a great firewall and get regular security audits for your site. Astra’s security suite provides round the clock protection and support, so you don’t have to worry about these kinds of attacks.

In this instance, however, the malicious code used to carry out the hack wasn’t contained in the site itself, but in the favicon EXIF data. This means that it has a very high likelihood of going unnoticed by traditional malware scanners and even web developers.

But there’s good news – as hackers continuously evolve, so do the good guys! Now that such attacks have been noticed, tons of security specialists like Astra are working on making sure they don’t happen again. So it’s a great idea to invest in good cyber security so that you don’t have to worry about getting hacked anymore!

Conclusion: Favicon EXIF Data Credit Card Stealing Hack

Hackers are continuously evolving their methods, and Magecart is one such group known to be behind some of the most interesting and clever attacks. Since their attacks are so prevalent, we’ve made a video that you might find helpful:

A great way to stay on top of such attacks is to invest in good security practices. A firewall and regular security scans in addition to secure development practices can go a long way in building the reputation of your site.

About Astra Security Suite

Astra is the essential web security suite that fights hackers, internet threats & bots for you. We provide proactive security for your websites running popular CMSs like WordPress, OpenCart, Magento etc. Our professional malware removal team is available 24×7 throughout the year to help you regain your hacked website and quickly get back to business.

Was this post helpful?


Sreenidhi is a tech enthusiast who enjoys writing about cybersecurity and data science. Her areas of interest include WordPress security, new malware, and recent cybersecurity news.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany