The attack is what security researchers refer to as a web skimming, e-skimming, or a Magecart attack. According to Malwarebytes, the malicious actor registered a new website purporting to offer thousands of images and icons for download, but which in reality served as a front for a credit card skimming operation.
The campaign came to light when the researchers noticed several e-commerce sites were loading a Magento favicon from a domain called myicons[.]net hosting various icons and, in particular, favicons, image files displayed on the browser’s tab often used for branding or identifying a website.
Further research has shown that myicons[.]net was registered just a few days prior and was hosted on a server (83.166.244[.]76) previously linked to another web skimming campaign. Furthermore, the content myicons[.]net hosted was stolen from a legitimate site hosted at iconarchive[.]com.
The credit card skimmer was also being used to collect personal information from the customers of compromised e-commerce sites, including names, addresses, phone numbers, and emails.