Hackers are constantly devising new tricks to fool online shoppers and steal their credit card data, as well as personal information. Recently, researchers from Malwarebytes observed such campaign, in which attackers created and used a fake website to host and load a JavaScript web skimmer masqueraded as a favicon onto compromised e-commerce portals.

The attack is what security researchers refer to as a web skimming, e-skimming, or a Magecart attack. According to Malwarebytes, the malicious actor registered a new website purporting to offer thousands of images and icons for download, but which in reality served as a front for a credit card skimming operation.

The campaign came to light when the researchers noticed several e-commerce sites were loading a Magento favicon from a domain called myicons[.]net hosting various icons and, in particular, favicons, image files displayed on the browser’s tab often used for branding or identifying a website.

Further research has shown that myicons[.]net was registered just a few days prior and was hosted on a server (83.166.244[.]76) previously linked to another web skimming campaign. Furthermore, the content myicons[.]net hosted was stolen from a legitimate site hosted at iconarchive[.]com.

The experts analysed the favicon.png file and found that when visiting the checkout page of a compromised Magento website seemingly benign favicon PNG image was automatically replaced with malicious JavaScript code designed to steal credit card information and send it to the attackers' servers.

“Instead of serving a PNG image, the malicious server returns JavaScript code that consists of a credit card payment form. This content is loaded dynamically in the DOM to override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express,” the researchers explained.

“In addition to JavaScript code, it contains HTML that will be injected into the checkout page of compromised stores. The idea is to blend in so that shoppers don’t notice anything suspicious.”

The credit card skimmer was also being used to collect personal information from the customers of compromised e-commerce sites, including names, addresses, phone numbers, and emails.