Evasive Credit Card Skimmers Using Homograph Domains and Infected Favicon #Security - The Entrepreneurial Way with A.I.

Breaking

Friday, August 7, 2020

Evasive Credit Card Skimmers Using Homograph Domains and Infected Favicon #Security

Cybersecurity researchers today highlighted an evasive phishing technique attackers exploiting in the wild to target visitors of several sites with a quirk in domain names, and leveraging modified favicon to inject e-skimmers and steal payment card information covertly.

"The idea is simple and consists of using characters that look the same in order to dupe users," Malwarebytes researchers said in a Thursday

analysis

. "Sometimes the characters are from a different language set or simply capitalizing the letter 'i' to make it appear like a lowercase 'l'."

Called an internationalized domain name (IDN)

homograph attack

, the technique has been used by a Magecart group on multiple domains to load the popular Inter skimming kit

hidden inside a favicon file

.

The visual trickery typically involves leveraging the similarities of character scripts to create and

register fraudulent domains

of existing ones to deceive unsuspecting users into visiting them and introduce malware onto target systems.

In several instances, Malwarebytes found that legitimate websites (e.g., "cigarpage.com") were hacked and injected with an innocuous piece of code referencing an icon file that loads a copycat version of the favicon from the decoy site ("cigarpaqe[.]com").

This favicon loaded from the homoglyph domain was subsequently used to inject the

Inter JavaScript skimmer

that captures the information entered on a payment page and exfiltrates the details to the same domain used to host the malicious favicon file.

Interestingly, it appears that one such fake domain ("zoplm.com") which was registered last month has been previously tied to Magecart Group 8, one of the hacker groups under the Magecart umbrella that's been linked to web skimming attacks on

NutriBullet

,

MyPillow

, as well as several websites owned by a national diamond exchange.

The MyPillow breach, in particular, is noteworthy because of similarities in the modus operandi, which involved injecting a malicious third-party JavaScript hosted on "mypiltow.com," a homoglyph of "mypillow.com."

"Threat actors love to take advantage of any technique that will provide them with a layer of evasion, no matter how small that is," the researchers said. "Code re-use poses a problem for defenders as it blurs the lines between the different attacks we see and makes any kind of attribution harder."

As phishing scams gain more sophistication, it's essential that users scrutinize the website URLs to ensure that the visible link is indeed the true destination, avoid clicking links from emails, chat messages, and other publicly available content, and turns authenticator-based multi-factor verification to secure accounts from being hijacked.

Found this article interesting? Follow THN on

Facebook

,

Twitter

and

LinkedIn

to read more exclusive content we post.



via https://www.aiupnow.com by noreply@blogger.com (Ravie Lakshmanan), Khareem Sudlow