Researchers detected a new malware strain dubbed as ‘IcePick-3PC’ which is capable of stealing device IP addresses by hacking a website’s third-party tools. The malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare.
Researchers from The Media Trust spotted the malware when it was used to spam device owners via a phishing campaign. The phishing scam offered gift cards from Amazon and Walmart, urging users to share their personal information for claiming their prizes.
More details on the malware
Michael Bittner, Digital Security & Operations Manager at The Media Trust explained in a blog post that IcePick-3PC malware steals device IP addresses by hacking a website’s third-party tools which are often pre-loaded onto client platforms by self-service agencies. The tools are designed to incorporate animation content via HTML5.
When a user visits a website with a compromised third-party library, the malware runs a series of checks on the user’s device before running.
“The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog post read.
Once the checks are completed, the malware makes an RTC peer connection between the infected device and a remote peer before sending the extracted device’s IP to the attacker.
“The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organized cybercrime rings. If this is the case, the attack on recognized publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future,” the blog post added.
“To prevent attacks and protect sites from infections, researchers recommend publishers and e-commerce businesses thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders and scan interactive ads and site pages for unauthorized code.” researchers wrote in the blog.