Credit card data stolen by Magecart attackers
Credit card data stolen by Magecart attackers

Malwarebytes team reported a new malicious campaign where hackers are exploiting websites with homoglyph domains and favicons for stealing credit card data. The hackers in here are storing their malicious code in the EXIF data of a favicon file, which will be loaded along with the page to infect the site.

Hackers Exploit Favicons to Steal Card Data

Magecart attacks are growing good since most of us are restricted to home these days. The attacks include infecting any e-commerce website with a specially crafted malware to capture the details of sensitive information like credit card data and billing address of buyers. And this identifiable and financial data is then resold in dark web groups or used for further attacks.

Security researchers are surfacing newer versions of Magecart attacks now and then since all of them share a similarity of hiding malicious codes in metadata of the files to be exploited. But in a new iteration of these attacks, as found by Malwarebytes team, researchers found the malicious script of attackers data-stealing malware is loaded into a favicon file!

Since favicon (.ico) files have EXIF meta tags, which provide more data fields than a general text file’s metadata, hackers here are exploiting this chance. They’re storing the code in “copyright” file of the favicon files. Further, they’re operating this campaign by targeting the domains that have homoglyph names, since they can be spoofed easily.

Cigarpage domain being exploited
Cigarpage domain being exploited

Researchers explained the incident with one attack, where the actual “cigarpage.com” was breached and changed the favicon to their desired image, which was also planted on their spoofing website’s favicon, that has the domain as “cigarpaqe.com”. This gives an added authenticity layer for the fake website.

Similarities between URL path of the legitimate and fake favicons for authenticity
Similarities between URL path of the legitimate and fake favicons for authenticity

And when tracked back, it led to an IP address of 51.83.209.11, which had other domains like fleldsupply.com, winqsupply.com and zoplm.com having the same fate. All of their favicons are having the malicious JavaScript code for capturing the sensitive data of buyers. This was the first time an attacker is found to be exploiting the favicon feature. Thus, it’s advised to inspect the website cautiously before making any transaction or entering details.

Other Trending News:-  News

LEAVE A REPLY

Please enter your comment!
Please enter your name here