An Imaginative Cyber Heist
The image of a cyber criminal as a being hoody-wearing loner - who causes chaos by hacking servers - has become more pervasive in recent years but in reality is an outdated characature. As with any criminal activity, there are organisations ranging from 'sole traders' to complex organisations with commission structures, training courses, call centres and more (although some of those 'sole traders' are still dangerous).
A few years back I wrote an article called Following the Phisher which takes a quick look at an example of the well structured & planned 'throwaway' hosting structures used by criminals to target companies.
More recently, I saw another similar example showing the imaginative methods and planning lengths criminals will go to for even low value returns, with a well-planned "watering hole" style campaign targetting e-commerce stores.
A recent report by MalwareBytes published details of this attack and its implementation of simple browser-based malware called a credit card skimmer. This is where a criminal manages to insert their own malicious code in to a payment page on an ecommerce website, replacing the real credit card form with a fake one, the same exploit that cost British Airways dearly in 2018.
Obviously the challenge in deploying card skimming code to a target website is getting the code embedded and loading, then avoiding detection for as long as possible. The MalwareBytes report shows how one criminal group "played the long game" and took an unusual route to do this en masse.
Favicons
As a web developer (another life), a pesky task that always had to be done before launching a website was creating a favicon image (the little icon on the tab in your browser).
Often I would upload a PNG to a third party 'favicon generator' to produce the icon I needed. Some services even went one step further, hosting a library of favicons you could simply reference in your website.
When Favicons Attack!
In order to get a malicious file on to multiple ecommerce websites passively (with no hacking/breach needed), a group of criminals setup one of these favicon websites, using all of the content from a legitimate service called iconarchive.com.
In the image opposite (courtesy of MalwareBytes) you can see the copy cat website (top) and the original website (below).
Web developers and website owners would use the bogus website to get a favicon for their website, effectively opening the door to malicious code themselves (with no additional work needed from the criminals).
The Kicker
As a demonstration of the sophistication that went in to this passive attack, the favicon was loaded as normal on all web pages apart from payment pages, making it harder to detect. Any web pages that were identified as having a credit card form on them were served a malicious JavaScript file in place of the favicon file, this JavaScript replaced the payment form with a form that grabbed the payment data and sent it to the criminals.
Summary
As with any attack, if the favicon approach proves to be reasonably lucrative, we can expect to see more variations of this in the wild. While simple once broken down, it's another example of criminals planning, adapting and testing new methods for subverting security (in this instance, by having website owners deploy the malware themselves!).
No single security product or defence technique can protect businesses, requiring not just the 'layered approach' but one that is as agile and reactive as the adversary.
For a free consultion around cyber security, please get in touch with us at Perfect Image.