A new credit card skimming campaign was found exploiting Inter kit and favicons to hide skimming activities.
According to researchers, the Magecart group 8—known for targeting e-commerce websites using fake domains and small favicon images—was behind the skimming campaign.
- This skimming campaign was observed at the beginning of August 2020 in which attackers used several fake domain names to load the Inter skimming kit inside of an .ico file (a favicon file).
- Hackers used the homoglyph techniques, in which they leverage fake domain names that appear to be legitimate due to similar looking alphabets.
How does the attack work?
- When any visitor clicks on the ‘Submit’ button, the Inter kit pilfer the data filled on the webpage and send it to the attacker’s server.
- Attackers created fake domains, such as “cigarpaqe[.]com”, which is a look-alike of the genuine domain "cigarpage[.]com.” Similarly, fleldsupply[.]com for fieldsupply[.]com and winqsupply[.]com for wingsupply[.]com to mislead people into exposing their credentials.
Recent Magecart attacks
Besides the other recent incident of using the EXIF Metadata of a favicon image to evade detection in July, Magecart attackers have been actively carrying out skimming attacks across various organizations.
- In late-June 2020, eight U.S. cities were targeted by the Magecart skimming attacks, when the Click2Gov platform-based websites were injected with malicious skimming code, which passed credit card information to cybercriminals.
- In mid-June 2020, malicious web skimmers were found on the websites of Intersport, Claire's, and Icing, which would steal any customer information entered during checkout and send it to the attackers.
The use of a combination of fake lookalike domains, along with legitimate websites makes it difficult to prevent the Magecart attacks using a defined set of policies. Researchers recommend using real-time client-side application protection solutions to prevent Magecart based malicious script attacks.