Posted on May 7, 2020 at 12:29 PM
A recent report revealed that hackers hid a web skimming operation by creating a bogus image hosting portal. The incident has been described as one of the most innovative and sophisticated hacking campaigns ever detected. The hackers set up a false icons hosting site to disguise a malicious code designed to hijack payment card data from compromised websites
The hacking operation is what is commonly known as Magecart attack, e-skimming, or web skimming.
Web skimming is not a new form of attack by cybercriminals. The operation has been existing for many years, as security companies are always devising new methods of stopping them while the hackers are getting smarter every day. Most of the web skimming operations follow a similar format, but they have changed in form and strategy over the years.
Hackers designed bogus icons hosting website
According to a report published by cybersecurity firm Malwarebytes, the firm said it found out one of the hacking groups is using a new trick to take the hacking operation to a new level of sophistication.
Malwarebytes reiterated that it discovered the hacking group when it was investigating some strange hacks recently. The firm said the browsers logo image (favicon), was the only modification it saw on the hacked websites. Apart from the image, every other thing looks the same from the original website.
The favicon image does not have any hidden malicious code and it was hosted on Mylcons.net, according to the report.
Nevertheless, although the change looked genuine, the security firm noted that the skimming codes were still loaded in hacked sites, which shows something is not right with the new favicon.
Attackers used the favicon icon as a decoy
According to Malwarebytes, the skimming was done in a way MyIcons.net site loaded a genuine favicon file for the entire website’s pages but left the pages containing checkout forms.
Malwarebytes reiterated that website owners who investigated the incident and accessed the MyIcons.net framework would see a legitimate icon hosting portal. As a result, they would be misled into believing it’s a legitimate website.
The security firm also pointed out that the legitimate IconArchive.com portal was cloned to the MyIcons.net portal, which was designed to deceive users into believing it’s legitimate.
A few weeks ago, security firm Sucuri reported that the website was also hosted on different servers some hackers have previously used for their skimming operations.
Web skimming of this nature are usually detected
The hackers fronting this operation did a lot of homework to hide the malicious code. However, as other intrusive card-skimming hacks have proven in the past, they hardly go undetected. They usually end up getting discovered by cybersecurity firms because of their nature.
Yet, the hackers did something unprecedented by building a fake icon hosting portal, which has not happened in other skimming operations. Some other cyber attackers who have carried out similar operations have not been able to remain sophisticated like this group, Malwarebytes revealed.
For instance, there were 28 registered fake ad agencies by the Zirconium gang, with the main aim of showing malicious ads on thousands of websites. In another similar skimming incident, hackers used the Orcus remote access Trojan to register and operate a company in Canada. The skimmers claimed they offer remote access software for enterprise workers.
The same hacking group is behind recent Magecart operations
The hacker responsible for the favicon camouflage campaign is believed to be responsible for other Magecart operations that occurred recently. The recent attack in March showed the use of an infected JavaScrypt library that camouflaged as CloudFlare’s Rocket Loader. And the hosting server used in the attack was detected by security firm Sucuri when it was investigating another Magecart operation.
Just like the operation described here, the web skimmer was also obfuscated with ant_cockroach tactics.