Rewterz Threat Alert – Credit Card Skimmer Masquerades as Favicon

Severity

Medium

Analysis Summary

In the most recent skimmer campaign analyzed by researchers, attackers are leveraging favicons to distribute their skimmer. Favicons are image file displayed on the browser’s tab often used for branding or identifying a website. The attackers created a copy of the legitimate iconarchive.com in order to host their malicious favicons. The malicious image comes in the form of a Magento favicon.

Favicons

As a standalone image, there is nothing outright malicious about the file. However, if the referrer for any requests to the favicon URL contains a keyword, such as “checkout,” the malicious behavior is activated. Instead of loading the benign image, JavaScript is injected into the checkout page. It replaces the legitimate checkout form with the attacker’s form. Any credit card details entered are subsequently exfiltrated to the attacker. The specific skimmer identified in this campaign is the “ant and cockroach” skimmer, which is customized for English and Portuguese checkout forms and leverages HTML code to better blend the form into the legitimate site. 

Impact

• Data exfiltration
• Financial loss

Indicators of Compromise

IP

83[.]166[.]244[.]76

SHA-256

825886fc00bef43b3b7552338617697c4e0bab666812c333afdce36536be3b8e

URL

http[:]//myicons[.]net/d/favicon[.]png

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.