Malwarebytes reported in early May that they had detected a novel method scammers are using to steal credit card data. Visitors to an icon website were unaware that the purchase form they were filling out was delivering their credit card information and personal details to cyber crooks. The scam is particularly insidious because, to the average user, it is almost undetectable.

The Malwarebytes team unearthed the scam when they noticed that the favicon for the shopping CMS Magento was being by loaded by ecommerce websites from the myicons[.]net domain. That domain raised a red flag was. It had been registered only a few days previously, and was hosted on a server that had already been identified as part of a web-skimming campaign. Once their suspicions were raised, Malwarebytes dug a little deeper and realized the website was using an iframe to pull in the content from a legitimate website, iconarchive.com. That means that visitors to myicons[.]net have little forewarning that the website is malicious.

But what is myicons[.]net’s game? What are they gaining by cloning the iconarchive website? At first Malwarebytes assumed that the favicon PNG was hiding a malicious JavaScript code. That proved to be incorrect; the image was a plain PNG file. So they then looked into how the favicon was being served when they followed through with a purchae. They realized that, on the checkout page, the server returned a JavaScript code instead of the favicon PNG file. That malicious code delivered a credit card form that overrode the PayPal option the legitimate website would have delivered instead. The bogus credit card form directs the buyer’s information – credit card data, name, address, email – to the scammers.

A New Threat

While the myicons scam is unique, it’s shows the increasing sophistication on the part of cyber crook. ZDNet reports two examples: one in which scammers created 28 fake ad agencies to deliver malicious web ads on thousands of websites, and another in which a company registered in Canada provided remote access software that proved to be trojan malware.

The scam is part of a new breed of web skimming attacks called “Magecart” attacks. The attacks leverage vulnerabilities in the Magento CMS and plugins to hack eccomerce sites using Magento. They would then modify the ecommerce site’s source code to install a malicious JavaScript that would hijack buyers’ credit card information from the checkout pages. Scammers have been branching out to other ecommerce platforms, such as PrestaShop and OpenCart. ZDNet reports that even large companies such as TicketMaster and Feedify have been compromised.

So how can you protect yourself? TechRepublic asked just that when they interviewed Aanand Krishnan, founder and CEO of Tala Security. Krishnan estimates that hundreds of thousands of websites are compromised with Magecart scams, and the scams may go undetected for several months. He also feels that the responsibility for addressing the problem lies with the ecommerce websites and financial institutions completing the transactions. His advice for consumers is threefold: be aware of the scam; check your credit card accounts frequently for odd transactions; and follow best practices in your online habits. (Don’t click on unknown or suspicious emails, don’t download free software you don’t need and hasn’t been vetted, and clean out browser extensions.)

Jerome Segura, director of threat intelligence for Malwarebytes, also recommends that ecommerce customers use payments that don’t involve filling out their credit card information every time they make a purchase. Malwarebytes also offers a real-time web security module in both their desktop software and in their Browser Guard extension for Chrome and Firefox.

Photo by Markus Spiske on Unsplash