New Skimming Campaign Uses Homoglyph Techniques

Summary

Malwarebytes Labs discovered a new credit card skimming campaign tied to the Magecart group using homoglyph techniques. This technique leverages fraudulent domain names that appear legitimate due to similar-looking alphabets or characters. Threat actors use several domain names to load the Inter skimming kit inside of a favicon file, or ICO file. When users visit and submit information on the fraudulent websites, the skimming kit steals the information and sends it to the threat actors.

Recommendations

The NJCCIC advises online shoppers to exercise caution with unsolicited emails that contain links or attachments advertising discounts on purchases or requesting verification of account information. Instead of clicking links in emails, navigate directly to websites by manually typing the URL into the browser. We recommend using credit cards over debit cards for online purchases. Credit cards often have greater consumer protections that limit a victim’s liability if fraudulent purchases are made.  Magecart attacks – malicious code injected into online payment websites to steal financial data – are prevalent and pose a risk when online shopping. Additionally, the NJCCIC highly encourages all users to enable multi-factor authentication (MFA) on every account that offers it, including any online shopping websites. Lastly , website administrators are urged to use only vetted first-party code, ensure hardware and software is up to date, use a web application firewall (WAF) to block and alert for potential code injection attacks, block unauthorized transmission of personal data by implementing a Content Security Policy (CSP), and schedule routine website scans to identify changes in JavaScript code composition. More information can be found in the Malwarebytes Labs post.