Security News > 2021 > May > Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons

Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users.

Injecting web skimmers on e-commerce websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems.

While injecting skimmers typically work by making a client-side request to an external JavaScript resource hosted on an attacker-controlled domain when a customer visits the online store in question, the latest attack is a little different in that the skimmer code is introduced into the merchant site dynamically at the server-side.

Malwarebytes attributed the latest campaign to Magecart Group 12 based on overlaps in tactics, techniques, and procedures employed, adding "The newest domain name we found happens to be hosted on the same IP address as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.".

From hiding card stealer code inside image metadata and carrying out IDN homograph attacks to plant web skimmers concealed within a website's favicon file to using Google Analytics and Telegram as an exfiltration channel, the cybercrime syndicate has intensified in its efforts to compromise online stores.

Skimming has become so prevalent and lucrative a practice that the Lazarus Group, a collective of state-sponsored hackers affiliated with North Korea, attacked websites that accept cryptocurrency payments with malicious JavaScript sniffers to steal bitcoins and ether in a new campaign called "BTC Changer" that started early last year.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/nFK0H3Q2zss/magecart-hackers-now-hide-php-based.html