Magecart group uses homoglyph attacks to fool you into visiting malicious websites

A new campaign is utilizing the Inter kit and favicons to hide skimming activities.
Written by Charlie Osborne, Contributing Writer

A new credit card skimming campaign making use of homoglyph techniques has been connected to an existing Magecart threat group.

Homoglyph attacks may sound complicated, but they are extremely simple to pull off in practice. Characters are used in domain names to make website addresses appear legitimate, when in fact, threat actors are relying on visitors not noticing small differences or mistakes when they visit. 

For example, characters may be selected from a different language set or picked to look like another letter -- such as swapping a capital "i" to appear like an "l".

If a victim is sent to a fraudulent domain -- let's take PayPal for example -- the difference between "paypal.com" which uses a legitimate, lower-case "l" may not be apparent in comparison to "paypaI.com," which uses an upper-case "i" instead. 

Furthermore, this can instill trust in a domain as legitimate, whereas in fact malicious code, exploit kits, or credential skimmers may be operating. 

On Thursday, Malwarebytes researcher Jérôme Segura documented a recent homoglyph attack wave, in which fraudsters are using numerous domain names to load the Inter skimming kit inside of a favicon file. 

See also: Black Hat: Hackers are using skeleton keys to target chip vendors

A Malwarebytes YARA rule detected the Inter kit on a file uploaded to VirusTotal. Inter is a popular framework that is being sold online for $1,300 per license and is used by cybercriminals to harvest information submitted into pages -- by masquerading as visitor trackers, payment forms, and more. 

Inter is often detected through suspicious HTML or JavaScript. However, in this case, malicious software was embedded in an .ico file, otherwise known as a favicon, which are small images associated with a website. 

The cybersecurity firm pulled up this alert and explored further, finding that the script was connected to a data exfiltration server, cigarpaqe[.]com. 

Noting the use of "q," the team found that the legitimate website, "cigarpage[.]com," had been compromised and code referencing the .ico file meant that the malicious copycat favicon was loaded from the homoglyph domain.

When visitors submitted their information via the legitimate domain's payment page, Inter would harvest their data and transfer it to the attacker's server. 

CNET: Browser privacy: Change these settings now, whether you use Chrome, Safari or Firefox

Other domains, too, were registered using the same homoglyph technique, including fieldsupply.com:fleldsupply.com and wingsupply.com:winqsupply.com. 

"It may not be their first rodeo either as some ties point to an existing Magecart group," the researcher says. 

Malwarebytes believes that Magecart Group 8 is the orchestrator of these attacks due to a fourth domain, zoplm[.]com, that has been tied to the threat actors and has recently been re-registered following a past takedown. 

The company reached out to the webmaster of the impacted cigarpage domain, but the malicious code had already been removed. 

TechRepublic: Security analysts want more help from developers to improve DevSecOps

Segura noted that while homoglyph attacks are not attributable to just one threat actor or group of cybercriminals, it is still worth exploring in correlation to infrastructure reuse. 

"One thing we know from experience is that previously used infrastructure has a tendency to come back up again, either from the same threat actor or different ones," the researchers say. "It may sound counterproductive to leverage already known (and likely blacklisted) domains or IPs, but it has its advantages, too -- in particular, when a number of compromised (and never cleaned up) sites still load third party scripts from those."

The worst IoT, smart home hacks of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards