The PHP-based web shell malware—masked as a favicon—is hidden into the targeted sites with a path to fake PNG image files instead of legit shortcut icon tags.
In turn, this web shell is configured to obtain the next-stage payload from an external host, a credit card skimmer that has similarities with other variants used in Cardbleed attacks.
Recent Magecart attacks
Magecart attacks are becoming more common and have targeted several online platforms around the world in the past few months.
In February, Magecart type attacks were found abusing Google's Apps Script business application development platform to steal credit card details.
The cybercrime syndicate is intensifying its efforts to compromise online stores with a wide range of attack vectors. In addition, skimming has become a prevalent and lucrative business for cybercriminals. Therefore, organizations are recommended to stay protected by deploying security measures to detect and stop such skimming attacks.