Cybercriminals Hide Web Skimmer Behind a Website's Favicon
A hacker group recently created a fake icon hosting website to hide malicious code, aimed at stealing credit card data from hacked websites. The hackers ran a sophisticated campaign that involved a Magecart attack, also known as web skimming.
The attackers use this type of approach to breach security on websites and hide malicious code inside. The code steals payment card details when they're entered into the checkout form. Web skimming attacks have been happening for a few years now, with companies getting better at catching up with the attackers. That led to threat actors getting smarter and more inventive about it, as is the case with many scams out there.
Hackers Made Fake Icons Hosting Portal
Security researchers spotted the group taking their operations up a notch with new tricks and sophisticated efforts. A series of attacks were being investigated, with the only modified piece of the hacked websites being the favicon, the small image shown in browser tabs. The new favicon was uploaded and hosted on MyIcons.net. The image was lacking malicious code within, but that still led the researchers to investigate, with web skimming code being loaded on hacked websites. The image was suspicious, with the legitimate favicon used on MyIcons.net being used to load on all websites except pages with checkout forms.
On pages like those, the MyIcons.net website switched the favicon with a malicious JavaScript. The script was part of a fake checkout form made to steal any visiting user's card details. The site may be fooled into believing the website is a fully functioning and legitimate website, according to researchers. It turns out; MyIcons.net was a clone of IconArchive.com, a legitimate portal hosting such content. The goal behind the clone was to act as a decoy for other parts of the attack.
The website was hosted on servers used by previous web skimming campaigns, according to cybersecurity company Sucuri.
Whoever is behind this operation, the group worked hard to hide the malicious code. The nature of card skimming attacks makes it hard to remain undetected for long, so that led to the discovery of their campaign. So far, this case is unique, as there have not been any other fake icon hosting portals used in web skimming operations, though cybercrime groups in other crimes have used similar tactics.
Examples of that can be seen with the 28 fake ad agencies registered by the Zirconium gang, aimed at showing malicious ads on many websites. The operator behind the Orcus remote access Trojan also registered and operated a company in Canada, one that claimed to provide remote access software to enterprise workers.