Hackers create a fake image icons website and hide a web skimmer behind the favicon during checkout
Changing situations often lead to cybercriminals changing their tactics. The effects of coronavirus pandemic is forcing everybody to use the Internet for everything right from buying groceries to watching movies, uploading images, etc. This is exactly what the hackers want. Malwarebytes has reported a clever hacking campaign undertaken by one such group of hackers who have installed a web skimmer behind the favicon of the website.
In what could be the most innovative hacking campaign of this year, a hacker group created fake icons hosting website to lure webmasters. They then switched the legitimate icon with an icon laden with a web skimmer malware. When the webmaster installed the Favicon on their website, the hackers’ code would activate and payment card data from hacked websites.
What is Web Skimming?
Web Skimming also called e-skimming or a Magecart attack is a process in which hackers breach websites and hide malicious code on its webpages. The code activates itself when any customer users a Credit or Debit Card to make payment. The code steals the steals payment card details as soon as the victim enters them in checkout forms. The code then relays the stolen payment card details to the command and control center of the hackers.
Web skimming attacks were first noticed in 2016 and as the years have passed the web skimming attacks have gotten more innovative. The U.S. Federal Bureau of Investigation (FBI) has already issued a warning in October 2019 to US etailers and online operators about e-skimming attacks or Magecart attacks.
Malwarebytes today published a a report which details such an innovative web skimming operation carried out by a group of hackers. Malwarebytes discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon. Favicons are the website logos that open when you visit on any website.
The hacker group created a website called MyIcons.net. At first look, MyIcons looked like a legitimate icon hosting website with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.
Innovation by hackers
While MyIcons has legitimate and malware-free icons on its website, it would switch the legitimate icons with ones that were laden with web skimming malware in the checkout section. The change was so innocuous that the icon buyer would hardly notice it. Once the icon buyer installed the icon on his/her website, the web skimming code would activate itself and start stealing payment card details. The group behind this operation went through great lengths to hide its malicious code. But Malwarebytes researchers were able to find it.
Malwarebytes says that the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.
Quite enterprising hackers wouldn’t you say. Full marks for innovation.