[BreachExchange] Hackers use website favicon to camouflage credit card skimmer

Fri May 8 10:48:09 EDT 2020

https://www.bleepingcomputer.com/news/security/hackers-use-website-favicon-to-camouflage-credit-card-skimmer/

Hackers have created and used a fake icon portal to host and load a
JavaScript web skimmer camouflaged as a favicon onto compromised
e-commerce portals to steal their customers' credit card and personal
information.

Cybercrime gangs known as Magecart groups inject malicious
JavaScript-based scripts into the checkout pages of e-commerce stores
after hacking them as part of web skimming attacks also known as
e-skimming.

In such operations, the attackers' end goal is to harvest all the
payment info submitted by the compromised site's customers and to
collect it on remote servers under own control.

As part of the Magecart attack detailed in a Malwarebytes report
published today, several compromised Magento websites were observed
while loading a payment card data skimmer instead of the website
favicon on their checkout pages, replacing the sites' legitimate
checkout option.

"We only found a handful probably because this campaign was very fresh
(less than a week old)," Malwarebytes Director of Threat Intelligence
Jérôme Segura told BleepingComputer.

Fake icon portal used for payload delivery

The attackers went through a lot of trouble to keep their operation
from being noticed, setting up a fake icon hosting website that loaded
at myicons[.]net that loaded all its content from the legitimate
iconarchive.com portal using an iframe.

"Threat actors registered a new website purporting to offer thousands
of images and icons for download, but which in reality has a single
purpose: to act as a façade for a credit card skimming operation," the
researchers explained.

As the Malwarebytes researchers further found while browsing the
compromised online stores, the attackers would load a benign image
from myicons[.]net/d/favicon.png on all website pages except for
checkout pages.

Once the customers would attempt to buy something and would open a
checkout page, the innocuous favicon PNG image was automatically
replaced with malicious JavaScript code designed to steal credit card
information and send it to the attackers' servers.

"This content is loaded dynamically in the DOM to override the PayPal
checkout option with its own drop down menu for MasterCard, Visa,
Discover and American Express," Malwarebytes found.

Web skimmer injection (Malwarebytes)

The credit card skimmer was also being used to collect personal
information from the customers of hacked e-commerce sites, including
but not limited to names, addresses, phone numbers, and emails.

Same group behind other recent Magecart campaigns

The group behind this Magecart campaign is also believed to be behind
another series of attacks from March where they used a malicious
JavaScript library disguised as CloudFlare’s Rocket Loader.

The hosting server at 83.166.244[.]76, used by the attackers to host
their fake icon portal, was previously detected by cybersecurity firm
Sucuri during the analysis of another Magecart campaign where the
credit card stealing code was being loaded from dynamically generated
domains.

Just as in the case of the campaign described today by Malwarebytes,
the web skimmer was obfuscated using the ant_cockroach method.

Decoy Magento favicon used in credit card skimming operation via
server-side trickery.

Web skimming defense measures

Last month, Payments processor Visa urged online merchants to migrate
their stores to Magento 2.x before the Magento 1.x e-commerce platform
reaches end-of-life (EoL) in June 2020 to prevent exposing their
customers to Magecart attacks and to remain PCI compliant.

The U.S. Federal Bureau of Investigation (FBI) warned government
agencies and SMBs (small and medium-sized businesses) in October 2019
of e-skimming threats targeting their process online payments.

Both the FBI and the Cybersecurity and Infrastructure Security Agency
(CISA) shared [1, 2] defense measures that government agencies and
businesses can implement to protect themselves against web skimming
threats.

However, online stores' users have very few options to protect
themselves against Magecart attacks, with browser extensions
specifically designed to block loading JavaScript code on untrusted
websites being one of them.

This approach, unfortunately, won't be of much help if hackers manage
to compromise on the customers' previously whitelisted e-commerce
sites.