Card Skimmers Move From Gas Pumps to Social Media

Researchers find payment malware on e-commerce checkout pages hiding inside share icons.

December 14, 2020

ALEXANDRIA, Va.—Researchers at Dutch cybersecurity firm Sanguine Security (SanSec) said they discovered a web skimmer, or Magecart script, lurking inside social media “share” icons for Facebook, Google, Instagram, Pinterest and YouTube.

The novel malware consists of a concealed payload and a decoder, of which the latter reads the payload and executes the concealed code.

“While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax,” SanSec said. “To complete the illusion of the image being benign, the malware’s creator has named it after a trusted social media company.”

The firm said it found the e-skimming malware on e-commerce sites in June and September.

Earlier this year, NACS Daily published a three-part series on data security. Read the first installment, “Under Siege: Cybercriminals Target C-Stores,” here, the second installment, “To Prevent Cyberattacks, Minimize IT Vulnerabilities,” here and the third installment, “Remediating Cyberattacks Requires a Team Effort,” here.

For more information on data security and standards, visit