As part of one of the MageCart campaigns, hackers hid malicious code behind favicon

Malwarebytes experts talked about an interesting MageCart campaign, for which hackers created a website to host favicon and mask malicious code as favicon.

Let me remind you that initially the name MageCart was assigned to one hack group, which first began to use the so-called web skimmers on websites to steal bank card data.

“Hackers hack sites and then inject malicious code into their page that records and steals payment card data when users enter it during checkout”, – write Malwarebytes researchers.

This approach turned out to be so successful – the MageCart script was even inbuilt into the Forbes subscription site, the group soon got numerous imitators, and the name MageCart became a common noun, and now embraces a whole class of such attacks.

And if in 2018 RiskIQ researchers identified 12 such groups,by the end of 2019, according to IBM, there were already about 40 of them. And Europol put MageCart in the list of the most dangerous cyber threats of 2019.

Researchers at Malwarebytes write that the hack group brought their operations to a whole new level of complexity. The company’s analysts revealed a malicious campaign, investigating a series of strange hacks, the sole purpose of which was to substitute favicon on hacked sites.

Malicious code behind favicon sites

The new favicon were image files hosted on and did not contain malicious code. Although at first glance this substitution looked completely innocent, experts found web-skimmers on all the affected sites, and something was wrong with the new favicon.

As further investigation showed, the trick was that the site provided a legitimate favicon file for all pages of the attacked resource, except for those where were placed the order forms.

“On the checkout pages, replaced the usual favicon with a malicious JavaScript file that created a fake payment form and stole user card details entered into it”, – report Malwarebytes experts.

Experts note that site owners, which noticed calls to, would find a harmless favicon hosting portal. However, in fact, this site was a clone of the legitimate portal and served as a regular screen for attacks.

Malicious code behind favicon sites
Original site and its clone

In addition, it is worth noting that this site was hosted on the same servers that were previously used in other skimmer operations, which noticed a few weeks ago Sucuri specialists.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button