When attackers compromise a website and want to harvest credit cards, they need to either find where the data is stored or capture the data in transit. This blog post shows how identifying files with false file signatures can uncover malicious activity on a server. I recently discovered credit card data hidden behind a .jpg extension that lead me to the work of an attacker capturing credit cards from customers using an online checkout page.
Below I detail how I discovered the attacker’s methods and the methods themselves.
***Please note that the code and examples in this article have been recreated in a test environment. Any cardholder data, including names and credit card numbers, is fake.***