A website that appeared to host images for download was discovered as a cover-up for a credit card skimming operation. The domain in question, myicons[.]net, was analyzed by Malwarebytes because several e-commerce websites powered by Magento were using this site to load a Magento favicon, the small image displayed by web browsers to visually identify the website loaded in each tab. The domain caught their suspicion because it was registered only a few days before it started being used by multiple websites. After looking into the website, it was found that it was stealing its images and icons from a legitimate source and was being hosted on a server that had been used as part of a web skimming operation in the past. Through the use of an iFrame, the image is downloaded just as one would assume. Researchers assumed that the image would use stenography to hide malicious JavaScript code within itself, but this was not true, and the image was properly formatted. After this was discovered, researchers went a step further and loaded the file in the context of an online purchase checkout page on a Magento website, the same server recognized the request and loaded malicious JavaScript code in the form of an e-skimmer instead of the image. The skimmer that is used has been seen before, targeting English and Portuguese checkout pages and was dubbed “Ant and Cockroach.” HTML code is loaded with the skimmer to blend the skimmer into the website so that it doesn’t look suspicious to shoppers.