Hackers hide skimmer behind favicon

#Malwarebytes #skimming

Malwarebytes Lab announced that they have discovered a use of an icon file to hide a web skimmer for a credit card skimming operation.

Malwarebytes Lab announced a new method they have discovered, a web skimmer can be hidden behind a favicon, an image file displayed on the browser’s tab. With this method, hackers aim to deceive online shoppers while staying under the radar from website administrators and security scanners.

No extra code

Malwarebytes Lab researchers noticed that the website used by the hackers is registered a few days ago and its server’s IP address was previously identified as malicious. Icons on the website are stolen from a legitimate site named iconarchive. Malwarebytes Lab stated that the images were properly formatted and no extra codes can be found inside.

But when visiting the checkout page, the server returns a JavaScript code, instead of serving a PNG image. It is loaded dynamically in the DOM to override the PayPal checkout option. The web skimmers primarily focus on credit card data, they typically also collect additional information such as the victim’s name, address, phone number, and email. Stolen data then sent to hackers after being encoded.