Hackers Using Homograph Domains And Infected Favicon
Cybersecurity researchers today highlighted an evasive phishing technique that attackers are exploiting in the wild to target visitors of several sites with a quirk in domain names, and leverage modified favicons to inject e-skimmers and steal payment card information covertly. Sophisticated skimming attacks like Magecart have incorporated favicons before and impacted well-known companies like Claire’s, Tupperware, Smith & Wesson, Macy’s, and British Airways.
Being mere images, favicons give off the impression they are innocuous. But attackers find ways to abuse the associated metadata within these files for sinister purposes. “The idea is simple and consists of using characters that look the same in order to dupe users,” Malwarebytes researchers said in a Thursday analysis. “Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”
Called an internationalized domain name (IDN) homograph attack, the technique has been used by a Magecart group on multiple domains to load the popular Inter skimming kit hidden inside a favicon file.
The visual trickery typically involves leveraging the similarities of character scripts to create and register fraudulent domains of existing ones to deceive unsuspecting users into visiting them and introduce malware onto target systems.
Interestingly, it appears that one such fake domain (“zoplm.com”) which was registered last month has been previously tied to Magecart Group 8, one of the hacker groups under the Magecart umbrella that’s been linked to web skimming attacks on NutriBullet, MyPillow, as well as several websites owned by a national diamond exchange.
The researchers said:
“Threat actors love to take advantage of any technique that will provide them with a layer of evasion, no matter how small that is,”
“Code re-use poses a problem for defenders as it blurs the lines between the different attacks we see and makes any kind of attribution harder.”
“One thing we know from experience is that previously used infrastructure has a tendency to come back up again, either from the same threat actor or different ones. It may sound counterproductive to leverage already known (and likely blacklisted) domains or IPs but it has its advantages too, in particular when a number of compromised (and never cleaned up) sites still load third party scripts from those,”
As phishing scams gain more sophistication, it’s essential that users scrutinize the website URLs to ensure that the visible link is indeed the true destination, avoid clicking links from emails, chat messages, and other publicly available content, and turns authenticator-based multi-factor verification to secure accounts from being hijacked.