Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

JavaScript Skimmers Found Hidden in 'Favicon' Icons

Malwarebytes Researchers Say Attacks Appear Related to Magecart
JavaScript Skimmers Found Hidden in 'Favicon' Icons

Cybercriminals are hiding malicious JavaScript skimmers in the "favicon" icons of several ecommerce websites in an effort to steal payment card data from customers, Malwarebytes researchers report.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

The recent attacks bear the hallmarks of Magecart, the umbrella name for a group of cybercriminal gangs that have been planting JavaScript skimmers, also known as JavaScript sniffers or JS sniffers, on dozens of sites over the last several years, according to Malwarebytes. The skimmers typically steal data such as customers' name, payment card number, expiration date and CVV information.

Over the last several months, several Magecart groups have experimented with new techniques for planting JavaScript skimmers within ecommerce site's checkout functions. In April, for example, researchers at security firm RiskIQ found one Magecart group incorporating iframes into their attacks to help skim the card data.

In the latest scheme, the malicious code is hidden inside a favicon - an icon associated with a URL that is displayed in a browser's address bar or next to the site name in a bookmark list - and hosted on a domain controlled by the attackers, according to Malwarebytes.

"I would not call this attack sophisticated but clever instead," says Jerome Segura, director of threat intelligence at Malwarebytes. "It shows that there are many different ways to evade detection, and all it takes is a bit of creativity."

These favicon-based attacks started only within the past week, and it's not clear how many sites have been affected or how much payment card data may have been taken. "We noted a handful of sites that were caught up in this, probably because of how recent this attack is," Segura tells Information Security Media Group. The report did not name the targeted sites.

Malicious Icons

This new Magecart-style scheme was discovered during routine checks of customer logs, according to Malwarebytes. Researchers noticed several ecommerce sites loading a Magento favicon from a suspicious domain called Myicons[dot]net.

Magento, which is owned by Adobe, is a popular content management system that ecommerce companies use to build and host their online checkout pages. It's also a frequent target of Magecart attacks, researchers note (see: Magento Marketplace Suffers Data Breach, Adobe Warns).

The Myicons domain was recently registered, and its IP address was associated with previous JavaScript skimming attacks, according to Malwarebytes and security firm Sucuri, which first noticed this website in April.

Magento icon hiding malicious JavaScript (Source: Malwarebytes)

Many of the icons hosted on the Myicons site were stolen from a legitimate site called, according to the Malwarebytes report.

Hidden Code

The icons listed for download on the Myicons site did not contain malicious if they were downloaded and add to websites without payments forms. But if the icons were downloaded and deployed on sites that contained payment forms the malicious JavaScript was added.

The attackers used a server-side technique to switch the PNG image code used in the icon for the skimmer code, according to Malwarebytes. If ecommerce customers attempt to input their payment card data on an infected site, the information is harvested, collected and sent back to the attackers.

"Instead of serving a PNG image, the malicious server returns JavaScript code that consists of a credit card payment form," according to the Malwarebytes report. "This content is loaded dynamically in the [Document Object Model] to override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express."

Malwarebytes researchers are contacting ecommerce firms that have been affected by this Magecart-style campaign and further investigating the infrastructure used in the incidents.

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.