Card Skimming


Malwarebytes researchers have highlighted a new phishing technique that attackers are exploiting to target visitors of several websites by leveraging on modified favicon to inject e-skimmers and steal credit card information.

The technique consists of using similar characters to dupe unsuspecting users, according to the security researchers, which characters could be from a different language or simply the capitalization of the letter 'i' to make it look like lowercase 'l'.

This is refered to as internationalized domain name (IDN) homograph attack, and it has been used by Magecart group on several domains to load the so-called Inter skimming kit within favicon file.

How the Homograph attack technique is carried out



The attack technique typically involves using similar character scripts with original domains to create and register fraudulent domains which are injected with malware to target unsuspecting users who are deceived into visiting them.

Credit Card Skimming


While the favicon loaded from the homoglyph domain are subsequently used to inject the Inter JavaScript skimmer to capture the credit card information entered on a e-commerce payment page and exfiltrates these details to the domain used to host the favicon file.

The reseachers discovered some legitimate websites (e.g., "cigarpage.com") that were hacked and injected with malicious code referencing an icon file which loads a look-alike version of the favicon from the decoy site ("cigarpaqe[.]com"). In the same vein, is the MyPillow breach, which is similar to the modus operandi involved by injecting a malicious JavaScript hosted on "mypiltow.com," a homoglyph of "mypillow.com."

How Web Users can guard against this kind of phishing attack



The threat actors are becoming more sophisticated in their craft, therefore the lines between the different attack scenarios and what researchers can make of the kind of attack is getting blurred by the day.

It is recommended that web users should not follow links in chat messages and other public content, and always turn on multi-factor authentication when available to secure their accounts from being hijacked.

And more importantly, they should scrutinize the URL of websites they intend to visit to ensure that the link is indeed the actual destination, and they should avoid the clicking of links from emails, rather they should extract the link for further scrutiny before visiting it.

New Card Skimming methods using Infected Favicon and Homograph Domains

Card Skimming


Malwarebytes researchers have highlighted a new phishing technique that attackers are exploiting to target visitors of several websites by leveraging on modified favicon to inject e-skimmers and steal credit card information.

The technique consists of using similar characters to dupe unsuspecting users, according to the security researchers, which characters could be from a different language or simply the capitalization of the letter 'i' to make it look like lowercase 'l'.

This is refered to as internationalized domain name (IDN) homograph attack, and it has been used by Magecart group on several domains to load the so-called Inter skimming kit within favicon file.

How the Homograph attack technique is carried out



The attack technique typically involves using similar character scripts with original domains to create and register fraudulent domains which are injected with malware to target unsuspecting users who are deceived into visiting them.

Credit Card Skimming


While the favicon loaded from the homoglyph domain are subsequently used to inject the Inter JavaScript skimmer to capture the credit card information entered on a e-commerce payment page and exfiltrates these details to the domain used to host the favicon file.

The reseachers discovered some legitimate websites (e.g., "cigarpage.com") that were hacked and injected with malicious code referencing an icon file which loads a look-alike version of the favicon from the decoy site ("cigarpaqe[.]com"). In the same vein, is the MyPillow breach, which is similar to the modus operandi involved by injecting a malicious JavaScript hosted on "mypiltow.com," a homoglyph of "mypillow.com."

How Web Users can guard against this kind of phishing attack



The threat actors are becoming more sophisticated in their craft, therefore the lines between the different attack scenarios and what researchers can make of the kind of attack is getting blurred by the day.

It is recommended that web users should not follow links in chat messages and other public content, and always turn on multi-factor authentication when available to secure their accounts from being hijacked.

And more importantly, they should scrutinize the URL of websites they intend to visit to ensure that the link is indeed the actual destination, and they should avoid the clicking of links from emails, rather they should extract the link for further scrutiny before visiting it.

No comments