Top News

Hackers hide web skimmer behind a website’s favicon

shopping cart card magecart

In one of the most complex and innovative hacking campaigns detected to date, a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.

Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.

Web skimming attacks have been going on for almost four years, and as security firms are getting better at detecting them, attackers are also getting craftier.

Hackers created a fake icons hosting portal

In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.

The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.

The new favicon was a legitimate image file hosted on, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.



Image: Malwarebytes

The trick, according to Malwarebytes, was that the website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.

On these pages, the website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.

Malwarebytes said that site owners investigating the incident and accessing the website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.

However, the security firm says was actually a clone of the legitimate portal, and that its primary role was to be a decoy.

Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.

The group behind this operation went through great lengths to hide its malicious code; however, intrusive card-skimming hacks rarely do go unnoticed and almost always get uncovered.

Nonetheless, the effort to build a fake icon hosting portal is something not seen before in other web skimming operations, although other types of cybercrime groups have done similar things.

For example, the Zirconium gang registered 28 fake ad agencies in order to show malicious ads on thousands of sites, and the operator of the Orcus remote access trojan registered and operated a company in Canada claiming to provide remote access software for enterprise workers.

Source : ZDNet

Previous ArticleNext Article
Send this to a friend