- Joined
- May 15, 2016
- Messages
- 5,158
- Likes
- 2,576
- Points
- 1,730
Cybercriminals have found a way to effectively hide malicious code on hacked sites.
Specialists of the information security company Malwarebytes discovered a new malicious campaign, during which attackers steal user’s bank card data using the malware built into the site. This technique is called web-skimming, e-skimming or Magecart attacks. As a rule, attackers hack a site and inject a code into it that steals payment data from user-filled forms. Experts have recorded such attacks for four years now, and as security companies find effective ways to detect them, cybercriminals are forced to look for new ways.
The new Malwarebytes report reports one such grouping that has taken web-skimming to a whole new level. Experts revealed it during the investigation of a series of strange hacks, during which the only thing that hackers did on the hacked resources was changing favicons (site icons).
The new site icon was a valid graphic file hosted on MyIcons.net without any malicious code. Although changing the icon looked quite harmless, the malware somehow still downloaded to the hacked sites, and the icons aroused suspicion among experts.
As explained in the Malwarebytes report, MyIcons.net maintained a valid icon file for all pages on the site, with the exception of pages with order forms. On these pages, MyIcons.net quietly replaced the badge with a malicious JavaScript file, creating a fake form for placing an order and stealing bank card information.
The owners of one such hacked site visited MyIcons.net and saw that it is a full-fledged portal for hosting icons. Nothing aroused their suspicion. However, as Malwarebytes experts discovered, MyIcons.net is a “clone” of the legitimate IconArchive.com portal and was created to mask malicious activity.
Creating a whole hosting portal is something new for web-skimmers, although this technique has long been used by groups specializing in other types of cybercrimes.
__________________
Specialists of the information security company Malwarebytes discovered a new malicious campaign, during which attackers steal user’s bank card data using the malware built into the site. This technique is called web-skimming, e-skimming or Magecart attacks. As a rule, attackers hack a site and inject a code into it that steals payment data from user-filled forms. Experts have recorded such attacks for four years now, and as security companies find effective ways to detect them, cybercriminals are forced to look for new ways.
The new Malwarebytes report reports one such grouping that has taken web-skimming to a whole new level. Experts revealed it during the investigation of a series of strange hacks, during which the only thing that hackers did on the hacked resources was changing favicons (site icons).
The new site icon was a valid graphic file hosted on MyIcons.net without any malicious code. Although changing the icon looked quite harmless, the malware somehow still downloaded to the hacked sites, and the icons aroused suspicion among experts.
As explained in the Malwarebytes report, MyIcons.net maintained a valid icon file for all pages on the site, with the exception of pages with order forms. On these pages, MyIcons.net quietly replaced the badge with a malicious JavaScript file, creating a fake form for placing an order and stealing bank card information.
The owners of one such hacked site visited MyIcons.net and saw that it is a full-fledged portal for hosting icons. Nothing aroused their suspicion. However, as Malwarebytes experts discovered, MyIcons.net is a “clone” of the legitimate IconArchive.com portal and was created to mask malicious activity.
Creating a whole hosting portal is something new for web-skimmers, although this technique has long been used by groups specializing in other types of cybercrimes.
__________________