What’s a favicon? That’s the little icon symbol that you see before a website in your browser tabs or before sites in your favorites/bookmarks list. Favicon is short for ‘favorite icon’. If this is still confusing, they look like this in your browser
and this in your favorite’s list.
So when you open a new tab, your browser will retrieve the site name and the icon associated with it.
Seems pretty innocent, right? Well, in the cyber world, the most innocent things can be guilty of doing bad things. Such is the case with favicons. But what harm can such a small thing do? You may ask. The answer is more than you can probably believe.
The sinister use of favicons begins with directing users to a malicious site which masks itself by attempting to appear as a legitimate site. This is done through an iframe attack. In the image below (modified from Malwarebytes Labs), the legitimate site, iconarchive.com, was taken over by the criminals in this way.
The image above shows an iframe attack which loads one site within another. In this case, the attackers loaded the complete, legitimate iconarchive.com site under their banner, myicon.net.
The reason why the criminals did this was not initially clear. The goal behind this was only discovered when the researchers tried to check out from a compromised shopping site which used the Magento commerce platform. Anyone who shops online will be familiar with the form presented at checkout. It will look something like this.
However, when the researchers tried to checkout from a compromised Magento site, the attackers directed them back to the myicon.net site and, instead of retrieving a simple favicon, retrieved code which produced a credit card information form.
Thus, any information gathered by the criminals on this fake form would be encoded and sent back to them. The victim would believe they made a legitimate purchase while the criminals did what they wanted with the stolen credit card data. So do you still think favicons are innocent?
A number of recent attacks have been made by getting victims to download infected apps, often from legitimate sites. Little did those downloading the apps realize that the icon that came with the app would lead to their victimization.
After downloading the bad app to their Android device, everything would appear to be fine. The app would be installed, and the icon that came with it would appear as it would with any app. The problem only began when they tried to use the app for the first time. Here’s an example from Sophos.
The app appears as expected here, but this is what happens when the victim tries to open it.
After the warning, the victim is automatically directed to the Google Maps page in the Google Play Store which will have the same warning as shown above. At this point, the victim may think that there is some incompatibility issue between the new app and Google Maps. In any event, when the victim looks for the new app, the icon for it has disappeared. The user would probably forget about it. However, the sad truth is that when the victim clicked on the icon, code was installed on their Android device which removed the icon in the process. From this point on, the invisible app will be presenting the victim with annoyingly visible ads.
Other malicious apps hide under icons that are either exact copies of legitimate app icons or are close approximations of them. Some apps change their icons to generic system icons after they are downloaded. This prevents these apps from being easily removed because no one wants to risk removing important system components.
So far, the goal for most of these devious apps is to present advertisements, but they could do far worse in the wrong hands.
Not So Funny GIFs
We’ve all seen animated GIFs. Usually, they are of animals doing real stupid things. It’s quite common for good GIFs to be widely shared. Most people who share them are not hackers but, inadvertently, in some cases, they may have been colluding with hackers.
Recently, Microsoft had to fix a vulnerability in its conference software, Teams. The vulnerability could have been exploited to gather account information from everyone on a network. This could be accomplished by sharing a GIF with others on the account network. The person receiving the GIF didn’t even have to open it to be a victim. You can see the flow of this attack in the image below. Notice how account tokens all return to the attacker with their information.
Back in 2018, researchers found an infected animated GIF that carried a keylogger. The GIF, shown below seems innocent on the surface and may evade suspicion. It doesn’t seem interesting enough for most people to share. (Don’t worry, the version below holds no malware.) The original contained a keylogger which would capture all of the victims keystrokes, including login information, passwords, messages, and emails.
I suppose the point to be made here is that the more innocent a digital component seems, the more likely it is to be abused. There’s a very simple reason for this. Hackers need people to trust them. Something seemingly innocent such as an icon, GIF, favicon, or meme is more likely to be trusted or shared with others than a suspicious attachment. It may all lead us to a conclusion reached by Mussolini, “It’s good to trust others but, not to do so is much better.”