In one of the most complex and innovative hacking campaigns detected to date, a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.
The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.
Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.
Web skimming attacks have been going on for almost four years, and as security firms are getting better at detecting them, attackers are also getting craftier.
Hackers created a fake icons hosting portal
In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.
The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.
The new favicon was a legitimate image file hosted on MyIcons.net, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.
Image: Malwarebytes
The trick, according to Malwarebytes, was that the MyIcons.net website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.
On these pages, the MyIcons.net website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.
Malwarebytes said that site owners investigating the incident and accessing the MyIcons.net website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.
However, the security firm says MyIcons.net was actually a clone of the legitimate IconArchive.com portal, and that its primary role was to be a decoy.
Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.
The group behind this operation went through great lengths to hide its malicious code; however, intrusive card-skimming hacks rarely do go unnoticed and almost always get uncovered.
Nonetheless, the effort to build a fake icon hosting portal is something not seen before in other web skimming operations, although other types of cybercrime groups have done similar things.
For example, the Zirconium gang registered 28 fake ad agencies in order to show malicious ads on thousands of sites, and the operator of the Orcus remote access trojan registered and operated a company in Canada claiming to provide remote access software for enterprise workers.