Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT Technology

Hackers Hide Web Skimmer Behind a Website's Favicon (zdnet.com) 18

In one of the most complex and innovative hacking campaigns detected to date, a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites. From a report: The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack. Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they're entered in checkout forms. Web skimming attacks have been going on for almost four years, and as security firms are getting better at detecting them, attackers are also getting craftier. In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.
This discussion has been archived. No new comments can be posted.

Hackers Hide Web Skimmer Behind a Website's Favicon

Comments Filter:
  • by codeButcher ( 223668 ) on Wednesday May 06, 2020 @01:55PM (#60029358)

    If I had a website hosted on some server somewhere, including all its images and content, WHAT on earth would make me want my favicon to be hosted somewhere else? What on earth is the reason of existence for favicon hosting portals???

    • That's how the facebook, twitter, etc. icons you see on most websites work. They're not hosted by the site. They're hosted by facebook, twitter, etc. and the site instructs your browser to download it from there when you view the page. And they're not icons. They're scripts which run every time you visit a page with those icons, whose purpose is to track you and send browsing data about you back to those companies. (Unless you disable javascript by default, or run something like NoScript.)
      • Re:Wait WHAT?? (Score:4, Insightful)

        by PPH ( 736903 ) on Wednesday May 06, 2020 @02:21PM (#60029458)

        Yeah, but those aren't favicons. Favicons are 16x16 pixel images that appear on browsers' location bar/tabs. We know what Facebook and Twitter buttons are and what the consequences to our users' privacy is by including them. (Hint: Nothing good.) So if some third party site says, "Hey! Put our button on your page." the smart person will think very carefully.

        • by krray ( 605395 )

          > So if some third party site says, "Hey! Put our button on your page." the smart person will think very carefully.

          And that's where the problem starts...

        • Actually "favicons" have grown far beyond simple 16x16 pixels images.

          See realfavicongenerator.net [realfavicongenerator.net] for more details.

          • by PPH ( 736903 )

            See realfavicongenerator.net for more details.

            I guess I don't see anything special. Other than their service for generating 'compatible' favicons for different browsers (which I assume means resizing and changing the file type to suit browsers that don't support the generic type/size), I see nothing. Their own site sent me a 16x16 PNG with no attached scripts or cookies (that they couldn't have sent me from their site anyway).

            I can see where they could be selling a 'service' to generate favicons on the fly with a sales pitch to stupid web developers t

            • I wasn't saying that their website was hosting icons, just that favicons are more than simple icons now (different icons depending on the size, default background colors for Windows/Mac/Android, etc).

              And if you need Javascript to setup favicons on your own website, you're the one who needs to quit the business.

    • these services don't just host your Icon. They provide a few thousand icons you can use for free. "Free" in this case being "Free so long as you don't mind being ripped off".
  • Saved You a Click (Score:5, Informative)

    by SuperKendall ( 25149 ) on Wednesday May 06, 2020 @02:29PM (#60029500)

    Although the story itself is actually a decent read and not long, I thought it would be a kindness to say what the actual core trick here was...

    The deal was from all appearances it was a valid Favicon hosting site, and would feed up perfectly normal favicon images.

    EXCEPT for when you arrived at some payment screen, in which case instead of a favicon you'd get a bundle of Javascript producing a fake payment form to fill in.

    Unstated: How can you replace the download of a favicon image with Javascript and still have the browser run that... would have been nice to have the article go into even more detail on that.

    • Another comment here mistook favicon for a button embed. Imagine a blog with a row of buttons allowing readers to mark as favorite on facebook or twitter. Perhaps the article author made the same mistake.

      • Another comment here mistook favicon for a button embed

        That could well be, since the site is called MyIcons.net it seems like it could hold anything... they showed a screenshot of a web request for favicon but that was a valid request, not one of the corrupted items.

      • by q4Fry ( 1322209 )

        It's "favicon" in the Malwarebytes original. What is still unclear is SuperKendall's question: Does the browser execute scripts in a favicon? The content encoding changes to "text/html," which seems unlikely to be accepted by Chrome, the browser in the screenshots. Especially since Chrome gets all upset if your MIME type is wrong for SVG favicons, although the ones in the article are PNG.

        While reviewing our crawler logs, we noticed requests to a domain called myicons[.]net hosting various icons and, in particular, favicons. Several e-commerce sites were loading a Magento favicon from this domain.

        It would have been nice to see a screenshot of the markup to see the <link rel="icon" href="[EVIL]" />

    • People are computer illiterate. They will put <script src="//evilsite.example.com/yourfaviconid"> in their page header if you tell them that's how you add a favicon to a website. That script outputs the necessary <link rel...> and does anything else the hackers want.
  • 1. How does someone get convinced to use a favicon on a different website? Was there a gallery setup somewhere? The attacking website just points to a legitimate one.
    2. How do you even configure Magento to use a favicon off a different website?
    3. The "payload" has a Content-Type: text/html, but it contains no HTML, and no script tag. So how is any script even executed?
    4. Why on Earth would a Web browser execute code inside something loaded as an image?

    • 4. Why on Earth would a Web browser execute code inside something loaded as an image?
      IE can

    • The .ico file likely had HTML/Javascript content redirecting requests to another site.
      Microsoft traditionally has decided to ignore content-type from webserver, and look inside the file.
      Remember, the site was exploited - So anything could be changed on the site. Maybe they changed the content-type mapping for .ico

      But the conclusion is, by hiding it this way, it was outside where HTML was expected to be found, and thus might have bypassed tripwire, or any other tools looking for the suspicious code. Most che

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...