Infected Favicon and Homograph Domain used to skim credit cards

August 29, 2020

The latest phishing campaign trend today uses an evasive phishing technique that leverages on homoglyph or homograph domain and infected favicon modified to inject concealed electronic skimmer codes to capture credit card information of their targeted website and their visitors.


infected favicon image 1



The idea behind the scam is to copy or make the domain and website look like the legitimate targeted website to dupe users into entering their credit card information upon checking out or purchasing. Taking advantage of the typo using characters of a different language set or capitalizing a letter(e.g., i) to look like a lower-case letter(e.g., l). This phishing technique is called IDN (Internationalized Domain Name) Homograph Attack.


This technique has been on multiple domains used by Magecart group hackers to load credit card skimming kits that are embedded in infected favicon files.


The visual appeal of the fraudulent homograph domain used in this attack with the similar character scripts deceives unaware users into visiting and exploring the website pages and unloading malware scripts into the user’s system.

In several instances, cybersecurity researchers found that legitimate web pages and websites got hacked and injected with a line of code that references an infected favicon icon file from a decoy homograph domain hosted website. When the browser loads the icon from the homoglyph domain, the inter JavaScript skimmer that will capture all the critical payment information entered by the user will subsequently be exfiltrated towards the homograph domain that hosts the infected favicon icon file.

Interestingly, the phishing technique that was observed has similarities to web skimming attacks carried out by the Magecart Group 8 on NutriBullet, MyPillow, and several other eCommerce online stores.

“Threat actors love to take advantage of any technique that will provide them with a layer of evasion, no matter how small that is,” a cybersecurity researcher said.

To date, phishing scams are gaining more sophistication. It is critical for users and organizations to carefully inspect the webpages, scripts, domains, and URLs to ensure that the intended destination of credit card transactions is indeed the correct ones. Steer clear of clicking links and attachments in chats, emails, and SMS messages that came from unexpected senders and get the latest anti-phishing solutions that would automate the process of identifying malicious codes and contents on the websites you and your organization visits.

About the author

Leave a Reply