Hackers use fake icon portal to hide web skimmer behind a favicon

A favicon is the logo image of a website shown in browser tabs

Hackers are using fake icons on various websites in efforts to steal payment card details from compromised e-commerce websites.

That's according to the researchers from cyber security firm Malwarebytes, who claim to have noticed several compromised Magento websites loading a data skimmer instead of the legitimate website favicon (the logo image of the website shown in browser tabs) on their payment checkout pages.

The operation is an example of what cyber security researchers refer to as a Magecart, e-skimming or web skimming attack.

The primary aim of Magecart attacks is to inject malicious JavaScript-based scripts into the payment checkout pages of online stores to steal payment card details of buyers.

As part of the new campaign, the attackers set up a fake image hosting Myicons[.]net website that loaded all of its content from the legitimate iconarchive.com portal.

Myicons[.]net claimed to offer thousands of icons and images for users to download, but its real aim was to serve as a platform for web skimming operations.

While exploring hacked e-commerce websites, the researchers noticed that the attackers loaded genuine favicon image (PNG) on all web pages, except for the checkout page.

On checkout pages, the MyIcons[.]net secretly replaced the genuine favicon with a malicious JavaScript file, which created a fake checkout form and stole all confidential details of customer's payment card.

According to researchers, myicons[.]net was registered just a few days ago and was hosted on a server previously used in other Magecart operations.

While the primary aim of the hackers was to steal credit card data, they also collected buyers' personal information, including their names, address, email and phone numbers.

The number of web-skimming attacks has intensified over the past two years, as per researchers.

In October last year, researchers warned that up to 20,000 ecommerce websites were at risk of Magecart attacks following Volusion server compromise.

In 2018, a Magecart attack on British Airways compromised credit card details of around 500,000 customers.

In September, researchers also warned that threat actors were attempting to bring old Magecart web domains back to life in renewed malvertising and ad fraud campaigns.