How Cybercriminals use Favicons for Web Skimming Attacks

June 9, 2020 - Ensighten

The world of online skimming is constantly evolving as attackers look to evade detection. One of the latest ways in which hacking groups are disguising their skimming code is by embedding it into favicons, or at least appearing to do so.


A complex approach  

News came out recently about a complex and multi-faceted campaign, designed to exploit websites by injecting online skimming malware in order to steal personal data, such as credit card numbers – and while online skimming is nothing new, the method was. 

In this latest skimming method, attackers served up what appeared to be icons from the domain, and while the domain appears to now be offline, it was live until recently. According to research, the attackers had mirrored the website, stealing the content to make the domain and site look legitimate. 

One interesting thing to note was that to the casual observer the malicious site did appear to be legitimate in that it served legitimate icon images. However, when an exploited site was on a checkout page and requested an icon, instead of a regular icon being provided, malicious skimming code was sent which would then steal personal data as users entered it into the affected website.


Attacking the client-side of the website 

One thing that this recent attack method highlights is that client-side attacks are not slowing down – if anything, they are becoming more complex, capable and effective. Cybercriminals prefer client-side attacks because they often circumvent the strong protections that organizations utilize to protect their servers and can go undetected for significant periods of time. 

There are many ways to inject malicious code into a website, one of the most common being cross-site scripting (XSS). Hackers can also look to hide malware within third-party libraries which developers use to deliver additional website functionality such as chat bots or virtual shopping carts.




Network level protection is effective against online skimming 

Regardless of attack method, whether ibe embedding code directly within a library, by replacing a website form or by disguising it within an icon request, at some point the malware needs to extract data from the website which is where network level protection is effective. 

Client-side network level protection works by intercepting communication attempts from a web page to a remote server and validates that the server is listed as a permitted destination to send data. If the server is present on configured allowlist, then the communication is permitted, otherwise, it is prevented. 

In the case of an online skimming attack, when the malware attempts to exfiltrate the stolen user information, such as a credit card number, the network communication would be blocked, flagged and the organization alerted to the attempt. 

Ensighten’s technology provides client-side network level protection along with additional capabilities such as preventing CSS injection, ad injection and more. Get in contact to learn more. 



Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Online skimming guide

Learn more about online skimming attacks and how you can ensure your website is protected against data theft

Read Now

Magecart blog

Learn more about the most talked about cyberattack group and how you to ensure protection against Magecart attacks

Read Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming attacks

Book Now