Recently, researchers discovered a new credit card skimming campaign to hide skimming activities. Read on to know more…
Recently, researchers discovered a new credit card skimming campaign to hide skimming activities. The new credit card skimming campaign was found exploiting Inter kit and favicons to hide skimming activities. Malwarebytes researcher Jérôme Segura documented a recent homoglyph attack wave, in which fraudsters are using numerous domain names to load the Inter skimming kit inside of a favicon file.
According to the researchers, the Magecart group 8 — known for targeting e-commerce websites using fake domains and small favicon images — was behind the skimming campaign. This skimming campaign was observed at the beginning of August 2020 in which attackers used several fake domain names to load the Inter skimming kit inside of an .ico file (a favicon file). Hackers used the homoglyph techniques, in which they leverage fake domain names that appear to be legitimate due to similar looking alphabets.
Recent Magecart Attacks
Besides the other recent incident of using the EXIF Metadata of a favicon image to evade detection in July, Magecart attackers have been actively carrying out skimming attacks across various organizations. In late-June 2020, eight U.S. cities were targeted by the Magecart skimming attacks, when the Click2Gov platform-based websites were injected with malicious skimming code, which passed credit card information to cybercriminals. In mid-June 2020, malicious web skimmers were found on the websites of Intersport, Claire’s, and Icing, which would steal any customer information entered during checkout and send it to the attackers.
Working Mechanism
Homoglyph attacks may sound complicated, but they are extremely simple to pull off in practice. Characters are used in domain names to make website addresses appear legitimate, when in fact, threat actors are relying on visitors not noticing small differences or mistakes when they visit. For instance, characters may be selected from a different language set or picked to look like another letter — such as swapping a capital “i” to appear like an “l”.
If a victim is sent to a fraudulent domain — let’s take PayPal for example — the difference between “paypal.com” which uses a legitimate, lower-case “l” may not be apparent in comparison to “paypaI.com,” which uses an upper-case “i” instead. Furthermore, this can instill trust in a domain as legitimate, whereas in fact malicious code, exploit kits, or credential skimmers may be operating.
In practical sense, when any visitor clicks on the ‘Submit’ button — the Inter kit pilfer the data filled on the webpage and send it to the attacker’s server. Attackers created fake domains, such as “cigarpaqe[.]com”, which is a look-alike of the genuine domain “cigarpage[.]com.” Similarly, fleldsupply[.]com for fieldsupply[.]com and winqsupply[.]com for wingsupply[.]com to mislead people into exposing their credentials.
A Brief Conclusion
The use of a combination of fake lookalike domains, along with legitimate websites makes it difficult to prevent the Magecart attacks using a defined set of policies. Researchers recommend using real-time client-side application protection solutions to prevent Magecart based malicious script attacks.