Malwarebytes team reported a new malicious campaign where hackers are exploiting websites with homoglyph domains and favicons for stealing credit card data. The hackers in here are storing their malicious code in the EXIF data of a favicon file, which will be loaded along with the page to infect the site.
Hackers Exploit Favicons to Steal Card Data
Magecart attacks are growing good since most of us are restricted to home these days. The attacks include infecting any e-commerce website with a specially crafted malware to capture the details of sensitive information like credit card data and billing address of buyers. And this identifiable and financial data is then resold in dark web groups or used for further attacks.
Security researchers are surfacing newer versions of Magecart attacks now and then since all of them share a similarity of hiding malicious codes in metadata of the files to be exploited. But in a new iteration of these attacks, as found by Malwarebytes team, researchers found the malicious script of attackers data-stealing malware is loaded into a favicon file!
Since favicon (.ico) files have EXIF meta tags, which provide more data fields than a general text file’s metadata, hackers here are exploiting this chance. They’re storing the code in “copyright” file of the favicon files. Further, they’re operating this campaign by targeting the domains that have homoglyph names, since they can be spoofed easily.

Researchers explained the incident with one attack, where the actual “cigarpage.com” was breached and changed the favicon to their desired image, which was also planted on their spoofing website’s favicon, that has the domain as “cigarpaqe.com”. This gives an added authenticity layer for the fake website.

And when tracked back, it led to an IP address of 51.83.209.11, which had other domains like fleldsupply.com, winqsupply.com and zoplm.com having the same fate. All of their favicons are having the malicious JavaScript code for capturing the sensitive data of buyers. This was the first time an attacker is found to be exploiting the favicon feature. Thus, it’s advised to inspect the website cautiously before making any transaction or entering details.
Other Trending News:- News