How a favicon delivered a web credit card skimmer to victims

Cyber crooks deploying web credit card skimmers on compromised Magento websites have a new trick up their sleeve: favicons that “turn” malicious when victims visit a checkout page.

Favicons and card skimmers

Favicons is a file containing one or more small icons associated with a website and are usually displayed in the browser’s address bar, on the tab in which a website has been opened, and in the bookmarks.

favicons card skimmers

“The goal [with online credit card skimmers is] to deceive online shoppers while staying under the radar from website administrators and security scanners,” Malwarebytes researcher Jérôme Segura explained.

In this latest approach, the crooks registered a new website purporting to offer thousands of images, icons and favicons for download (myicons[.]net) and made it an exact copy of the legitimate iconarchive.com site by loading it as an iframe.

Several e-commerce sites were loading a Magento favicon from this domain, Segura noted, but at first glance, the favicon image was clean.

Further analysis showed that, instead of the favicon, the malicious site returned JavaScript code that consists of a credit card payment form – but only when a user visited a checkout page.

favicons card skimmers

The script would override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express. The entered information would be exfiltrated to a remote server controlled by the crooks.

The new trick is part of ongoing attacks

“Given the decoy icons domain registration date, this particular scheme is about a week old but is part of a larger number of ongoing skimming attacks,” the researcher noted.

In fact, the IP of the server on which the malicious icon was hosted was flagged as part of an attack infrastructure nearly a month ago by Sucuri researchers, who tied it to a gang “known for using quite a few interesting tricks in their skimmers.”

It’s difficult for consumers to spot this type of attack and endpoint security solutions may or may not detect it. It’s on site owners to keep their websites secure and to quickly spot malicious changes.

Don't miss