In the latest scheme, the malicious code is hidden inside a favicon - an icon associated with a URL that is displayed in a browser's address bar or next to the site name in a bookmark list - and hosted on a domain controlled by the attackers, according to Malwarebytes.
"I would not call this attack sophisticated but clever instead," says Jerome Segura, director of threat intelligence at Malwarebytes. "It shows that there are many different ways to evade detection, and all it takes is a bit of creativity."
These favicon-based attacks started only within the past week, and it's not clear how many sites have been affected or how much payment card data may have been taken. "We noted a handful of sites that were caught up in this, probably because of how recent this attack is," Segura tells Information Security Media Group. The report did not name the targeted sites.
This new Magecart-style scheme was discovered during routine checks of customer logs, according to Malwarebytes. Researchers noticed several ecommerce sites loading a Magento favicon from a suspicious domain called Myicons[dot]net.
Magento, which is owned by Adobe, is a popular content management system that ecommerce companies use to build and host their online checkout pages. It's also a frequent target of Magecart attacks, researchers note (see: Magento Marketplace Suffers Data Breach, Adobe Warns).
Many of the icons hosted on the Myicons site were stolen from a legitimate site called Iconarchive.com, according to the Malwarebytes report.
The attackers used a server-side technique to switch the PNG image code used in the icon for the skimmer code, according to Malwarebytes. If ecommerce customers attempt to input their payment card data on an infected site, the information is harvested, collected and sent back to the attackers.
Malwarebytes researchers are contacting ecommerce firms that have been affected by this Magecart-style campaign and further investigating the infrastructure used in the incidents.
Managing Editor Scott Ferguson contributed to this report.