7 May 2020

Hackers use website favicon to hide credit card skimmer


Hackers use website favicon to hide credit card skimmer

Hackers are constantly devising new tricks to fool online shoppers and steal their credit card data, as well as personal information. Recently, researchers from Malwarebytes observed such campaign, in which attackers created and used a fake website to host and load a JavaScript web skimmer masqueraded as a favicon onto compromised e-commerce portals.

The attack is what security researchers refer to as a web skimming, e-skimming, or a Magecart attack. According to Malwarebytes, the malicious actor registered a new website purporting to offer thousands of images and icons for download, but which in reality served as a front for a credit card skimming operation.

The campaign came to light when the researchers noticed several e-commerce sites were loading a Magento favicon from a domain called myicons[.]net hosting various icons and, in particular, favicons, image files displayed on the browser’s tab often used for branding or identifying a website.

Further research has shown that myicons[.]net was registered just a few days prior and was hosted on a server (83.166.244[.]76) previously linked to another web skimming campaign. Furthermore, the content myicons[.]net hosted was stolen from a legitimate site hosted at iconarchive[.]com.

The experts analysed the favicon.png file and found that when visiting the checkout page of a compromised Magento website seemingly benign favicon PNG image was automatically replaced with malicious JavaScript code designed to steal credit card information and send it to the attackers' servers.

“Instead of serving a PNG image, the malicious server returns JavaScript code that consists of a credit card payment form. This content is loaded dynamically in the DOM to override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express,” the researchers explained.

“In addition to JavaScript code, it contains HTML that will be injected into the checkout page of compromised stores. The idea is to blend in so that shoppers don’t notice anything suspicious.”

The credit card skimmer was also being used to collect personal information from the customers of compromised e-commerce sites, including names, addresses, phone numbers, and emails.

Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022