A website that appeared to host images for download was discovered as a cover-up for a credit card skimming operation. The domain in question, myicons[.]net, was analyzed by Malwarebytes because several e-commerce websites powered by Magento were using this site to load a Magento favicon, the small image displayed by web browsers to visually identify the website loaded in each tab. The domain caught their suspicion because it was registered only a few days before it started being used by multiple websites. After looking into the website, it was found that it was stealing its images and icons from a legitimate source and was being hosted on a server that had been used as part of a web skimming operation in the past. Through the use of an iFrame, the image is downloaded just as one would assume. Researchers assumed that the image would use stenography to hide malicious JavaScript code within itself, but this was not true, and the image was properly formatted. After this was discovered, researchers went a step further and loaded the file in the context of an online purchase checkout page on a Magento website, the same server recognized the request and loaded malicious JavaScript code in the form of an e-skimmer instead of the image. The skimmer that is used has been seen before, targeting English and Portuguese checkout pages and was dubbed “Ant and Cockroach.” HTML code is loaded with the skimmer to blend the skimmer into the website so that it doesn’t look suspicious to shoppers.
Analyst Notes
E-skimming has been on the rise in the past few months due to the financial gain that threat actors can achieve by stealing credit card information and selling it or using it for fraud. Merchant companies operating e-commerce websites should be aware of the threats and proactively monitor their servers for any unauthorized access or changes to web content. Even content changes as simple as a new server to load a favicon image file can cause significant damage. In general, any image, html or JavaScript resource loaded from a third-party site in checkout or payment collection pages should not be trusted. Consumers can protect themselves from these attacks by using virtual one-time-use credit cards that generate a random number for a single purchase which then becomes useless to the attacker if stolen.
More information can be read here: https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/
