A new credit card skimming campaign making use of homoglyph techniques has been connected to an existing Magecart threat group.
Homoglyph attacks may sound complicated, but they are extremely simple to pull off in practice. Characters are used in domain names to make website addresses appear legitimate, when in fact, threat actors are relying on visitors not noticing small differences or mistakes when they visit.
For example, characters may be selected from a different language set or picked to look like another letter -- such as swapping a capital "i" to appear like an "l".
If a victim is sent to a fraudulent domain -- let's take PayPal for example -- the difference between "paypal.com" which uses a legitimate, lower-case "l" may not be apparent in comparison to "paypaI.com," which uses an upper-case "i" instead.
Furthermore, this can instill trust in a domain as legitimate, whereas in fact malicious code, exploit kits, or credential skimmers may be operating.
On Thursday, Malwarebytes researcher Jérôme Segura documented a recent homoglyph attack wave, in which fraudsters are using numerous domain names to load the Inter skimming kit inside of a favicon file.
A Malwarebytes YARA rule detected the Inter kit on a file uploaded to VirusTotal. Inter is a popular framework that is being sold online for $1,300 per license and is used by cybercriminals to harvest information submitted into pages -- by masquerading as visitor trackers, payment forms, and more.
The cybersecurity firm pulled up this alert and explored further, finding that the script was connected to a data exfiltration server, cigarpaqe[.]com.
Noting the use of "q," the team found that the legitimate website, "cigarpage[.]com," had been compromised and code referencing the .ico file meant that the malicious copycat favicon was loaded from the homoglyph domain.
When visitors submitted their information via the legitimate domain's payment page, Inter would harvest their data and transfer it to the attacker's server.
Other domains, too, were registered using the same homoglyph technique, including fieldsupply.com:fleldsupply.com and wingsupply.com:winqsupply.com.
"It may not be their first rodeo either as some ties point to an existing Magecart group," the researcher says.
Malwarebytes believes that Magecart Group 8 is the orchestrator of these attacks due to a fourth domain, zoplm[.]com, that has been tied to the threat actors and has recently been re-registered following a past takedown.
The company reached out to the webmaster of the impacted cigarpage domain, but the malicious code had already been removed.
Segura noted that while homoglyph attacks are not attributable to just one threat actor or group of cybercriminals, it is still worth exploring in correlation to infrastructure reuse.
"One thing we know from experience is that previously used infrastructure has a tendency to come back up again, either from the same threat actor or different ones," the researchers say. "It may sound counterproductive to leverage already known (and likely blacklisted) domains or IPs, but it has its advantages, too -- in particular, when a number of compromised (and never cleaned up) sites still load third party scripts from those."
Previous and related coverage
- Black Hat: Entropy - the solution to malvertising and malspam?
- Black Hat: How your pacemaker could become an insider threat to national security
- Black Hat: How hackers gain root access to SAP enterprise servers through SolMan
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0