Rewterz Threat Alert – Homoglyph Attacks used in Phishing Campaign and Magecart Attacks

Severity

High

Analysis Summary

A Magecart skimming campaign is found leveraging homoglyph attack techniques. The hackers targeted visitors of several sites using typo-squatted domain names, and modified favicons to inject software skimmers used to steal payment card information. Researchers identified the exfiltration gateway, which appeared to be a slight variation of a legitimate domain name based on the usage of a “q” character in place of what should have been a “p”. One of the interesting characteristics of this sample compared to other Inter skimming kits was that it was in a .ico file format instead of HTML or JavaScript. The injected favicon was a copy of the legitimate favicon. Inside the malicious file is JavaScript code identified to be Magecart skimming code that gathers credit card and billing information. Multiple other victim sites and their associated look-alike domains were identified as being tied to this campaign. Infrastructure overlaps indicate that this activity is likely tied to Magecart Group 8.

Impact

• Theft of sensitive information
• Financial theft 

Indicators of Compromise

Domain Name

• zoplm[.]com
• winqsupply[.]com
• fleldsupply[.]com
• cigarpaqe[.]com

Source IP

• 51[.]83[.]209[.]11

Remediation

• Block the threat indicators at their respective controls. 
• Always double check for spelling mistakes in domain names. 
• Type your intended domain name instead of clicking on links.