7 May 2020

Hackers use website favicon to hide credit card skimmer


Hackers use website favicon to hide credit card skimmer

Hackers are constantly devising new tricks to fool online shoppers and steal their credit card data, as well as personal information. Recently, researchers from Malwarebytes observed such campaign, in which attackers created and used a fake website to host and load a JavaScript web skimmer masqueraded as a favicon onto compromised e-commerce portals.

The attack is what security researchers refer to as a web skimming, e-skimming, or a Magecart attack. According to Malwarebytes, the malicious actor registered a new website purporting to offer thousands of images and icons for download, but which in reality served as a front for a credit card skimming operation.

The campaign came to light when the researchers noticed several e-commerce sites were loading a Magento favicon from a domain called myicons[.]net hosting various icons and, in particular, favicons, image files displayed on the browser’s tab often used for branding or identifying a website.

Further research has shown that myicons[.]net was registered just a few days prior and was hosted on a server (83.166.244[.]76) previously linked to another web skimming campaign. Furthermore, the content myicons[.]net hosted was stolen from a legitimate site hosted at iconarchive[.]com.

The experts analysed the favicon.png file and found that when visiting the checkout page of a compromised Magento website seemingly benign favicon PNG image was automatically replaced with malicious JavaScript code designed to steal credit card information and send it to the attackers' servers.

“Instead of serving a PNG image, the malicious server returns JavaScript code that consists of a credit card payment form. This content is loaded dynamically in the DOM to override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express,” the researchers explained.

“In addition to JavaScript code, it contains HTML that will be injected into the checkout page of compromised stores. The idea is to blend in so that shoppers don’t notice anything suspicious.”

The credit card skimmer was also being used to collect personal information from the customers of compromised e-commerce sites, including names, addresses, phone numbers, and emails.

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021