Cybersecurity researchers today highlighted an evasive phishing technique that attackers are exploiting in the wild to target visitors of several sites with a quirk in domain names, and leverage modified favicons to inject e-skimmers and steal payment card information covertly.
“The idea is simple and consists of using characters that look the same in order to dupe users,” Malwarebytes researchers said in a Thursday analysis. “Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”
Called an internationalized domain name (IDN) homograph attack, the technique has been used by a Magecart group on multiple domains to load the popular Inter skimming kit hidden inside a favicon file.
The visual trickery typically involves leveraging the similarities of character scripts to create and register fraudulent domains of existing ones to deceive unsuspecting users into visiting them and introduce malware onto target systems.
In several instances, Malwarebytes found that legitimate websites (e.g., “cigarpage.com”) were hacked and injected with an innocuous piece of code referencing an icon file that loads a copycat version of the favicon from the decoy site (“cigarpaqe[.]com”).
This favicon loaded from the homoglyph domain was subsequently used to inject the Inter JavaScript skimmer that captures the information entered on a payment page and exfiltrates the details to the same domain used to host the malicious favicon file.
Interestingly, it appears that one such fake domain (“zoplm.com”) which was registered last month has been previously tied to Magecart Group 8, one of the hacker groups under the Magecart umbrella that’s been linked to web skimming attacks on NutriBullet, MyPillow, as well as several websites owned by a national diamond exchange.
The MyPillow breach, in particular, is noteworthy because of similarities in the modus operandi, which involved injecting a malicious third-party JavaScript hosted on “mypiltow.com,” a homoglyph of “mypillow.com.”
“Threat actors love to take advantage of any technique that will provide them with a layer of evasion, no matter how small that is,” the researchers said. “Code re-use poses a problem for defenders as it blurs the lines between the different attacks we see and makes any kind of attribution harder.”
As phishing scams gain more sophistication, it’s essential that users scrutinize the website URLs to ensure that the visible link is indeed the true destination, avoid clicking links from emails, chat messages, and other publicly available content, and turns authenticator-based multi-factor verification to secure accounts from being hijacked.
Leave a Reply