Cybercriminals use all kinds of tricks to try to legitimize malicious websites, files, emails, and other content in hopes of trapping unsuspecting users. A new malware campaign analyzed by cybersecurity firm Malwarebytes employs a particularly deceptive strategy to empower credit card skimming attacks.

In a card skimming campaign, hackers gain access to an e-commerce site and hide malicious code on that site. When a customer checks out and enters the credit card information to pay for the purchase, the card details are captured by the criminals behind the operation without the user’s knowledge.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

In a blog post published Wednesday, Malwarebytes described the process through which one particular website is serving as a host for skimming attacks. On the surface, a site named looks innocent enough as it offers images and icons for people to download. Among the images available are favicons, which are icons that appear on a website’s browser tab as a means of branding or identification.

Upon investigation, though, Malwarebytes discovered that the domain name of was registered just a few days prior and hosted on a server previously identified as malicious. Further, appropriated all its content from another site named simply by pointing to that site within an HTML iframe.

Digging further, Malwarebytes found that several e-commerce sites were loading an Adobe Magento favicon from the domain. Though the security firm suspected that this favicon was malicious, it was unable to find any extra code inside it. However, it did uncover malicious activity on the e-commerce sites that were loading the Magento favicon from

Instead of serving up an image file, the server was actually loading code consisting of a credit card payment form. This form is loaded dynamically and overrides the PayPal checkout option with its own menu for MasterCard, Visa, Discover, and American Express cards. In the end, any credit card information entered through this form is then sent back to the criminals.

Malicious content hijacks default payment form.
Image: Malwarebytes

Jerome Segura, director of threat intelligence for Malwarebytes, summed up the sophistication of this operation.

“The website is a copycat of a legitimate website used to trick researchers/scanners,” Segura said. “It hosts a Magento favicon, which looks like a legitimate image file except when it is loaded from a compromised checkout page. In this case, the image is swapped for malicious JavaScript code instead. It’s a brilliant idea because it is conditional on the right elements to be in place when on the surface everything looks clean.”

Though it relies on the old tactic of card skimming, this particular campaign is fairly new, less than a week old, according to Segura. However, Malwarebytes believes that the criminal group behind it is an established one that is diversifying its operations and running several campaigns at the same time.

Because the campaign is new, it hasn’t yet hit a large number of users or sites.

“Like with any ongoing credit card skimming campaign, there are going to be a certain number of victims, typically determined by the size of the operation,” Segura said. “We only detected a handful of compromised merchants here, probably due to this having been just rolled out.”

Finally, how can website users protect themselves from these types of credit card skimming attacks?

“Web skimming is difficult to protect against because it can affect just about any brand and is invisible to the user,” Segura said. “However, you can limit exposure by choosing certain types of payments that do not involve typing out your credit card number each time. Additionally, we recommend web content filtering provided by some security vendors to block known skimming infrastructure.”

Getty Images/iStockphoto