Skimmer card masquerades as favicon-Malwarebytes Labs
Criminals register a fake domain to hide their skimmer as a harmless image file.
The authors of malware are known for their deceptive attempts to stay one step ahead of the defenders. If their plans are discovered, they always have to go back to their tricks to get a new one.
With regard to online credit card collectors, we have already seen a number of fallback methods, some of which are quite simple and others more complex. The goal remains to mislead online shoppers while remaining under the radar of site administrators and security scanners.
In the latter case, we saw an old trick on the server side, combined with the clever use of the symbol file to hide the web skimmer. The threat to the actors has registered a new website that offers thousands of images and icons to download, but actually has only one purpose: It is intended to be used as a front for credit card verification.
The latter case started with a file image displayed in a browser tab, often used for website identification, also called favicon.
Figure 1 : Some favourites of popular websites
While browsing our logs, we found requests for a domain called myicons[.] net, which contains several icons and especially favorites. Several e-commerce sites have been downloaded from this domain by Magento Favorit.
Figure 2: favicon.png for CMS Magento.
That in itself is not particularly suspicious. However, we noticed that myicons […] was registered just a few days ago and is hosted on a server (83 166 244 […] 76) previously identified as malicious. In a blog post, web security company Sucuri described how this web hosting company was part of a web hosting campaign using time-based domain names.
In addition, we discovered that the person who registered myicons[.]net has stolen all content from the legal iconarchive.com website; in the simplest way, by downloading it as an iframe :
Figure 3 : Bait point with original side
Figure 4 : The file with the suspect’s photo was clean.
Conditional server response
To better understand what was going on before we ruled out the possibility of a false positive, we investigated how this case was handled in an online purchase. Down and now, when you visit the order page of the hacked Magento website, an innocent favicon.png has turned into something completely different.
Figure 5 : The same web request of the referee, including the keyword cash.
Figure 6 : Malicious content hijacks standard payment method
Skimming ants and cockroaches
This skimmer is known to some as an ant and a cockroach. It is unique that it can be customized in English and Portuguese on the order form.
Figure 7 : Malicious HTML form filled in on the payment page
While web-based collectors focus primarily on credit card information, they also tend to collect additional personal information about victims, including name, address, telephone number, and email address.
Figure 8 : The data fields collected by the skimmer
This data is encrypted and then sent back to the criminals. For Skimmer customers, the exfiltration domain may be another hacked website or a malicious website registered exclusively for this purpose.
Figure 9 : An exfiltration code that transmits data to criminals.
This is the psas exfiltration domain…pw and is located on a known criminal infrastructure with IP address 83,166,242…105. Last March we described a campaign using the script of the Cloudflare rocket, which we believe is associated with the same group of threats.
One of the manycampaigns of Webskimmer
Considering the date of registration of the domain with the axis symbols, this specific system already exists for about a week, but it is part of a larger number of ongoing ski attacks.
Users using malicious bytes are protected by our real-time web security module, available in both Malware Bytes for Windows and the Browser Guard extension for Google Chrome and Mozilla Firefox.
Figure 10 : Anti-malware browser software blocks data filtering
Skimmer URL, domain, IP and SHA256
Exfiltration range and PI
83 166 242 … 105