Evil Favicons,  Invisible Icons, and Not-So-Funny GIFs

Evil Favicons

What’s a favicon? That’s the little icon symbol that you see before a website in your browser tabs or before sites in your favorites/bookmarks list. Favicon is short for ‘favorite icon’. If this is still confusing, they look like this in your browser

tabs

and this in your favorite’s list.

favicon

So when you open a new tab, your browser will retrieve the site name and the icon associated with it.

Seems pretty innocent, right? Well, in the cyber world, the most innocent things can be guilty of doing bad things. Such is the case with favicons. But what harm can such a small thing do? You may ask. The answer is more than you can probably believe.

The sinister use of favicons begins with directing users to a malicious site which masks itself by attempting to appear as a legitimate site. This is done through an iframe attack.  In the image below (modified from Malwarebytes Labs), the legitimate site, iconarchive.com, was taken over by the criminals in this way.

stolen site

The image above shows an iframe attack which loads one site within another. In this case, the attackers loaded the complete, legitimate iconarchive.com site under their banner, myicon.net.

The reason why the criminals did this was not initially clear. The goal behind this was only discovered when the researchers tried to check out from a compromised shopping site which used the Magento commerce platform. Anyone who shops online will be familiar with the form presented at checkout. It will look something like this.

magento form

However, when the researchers tried to checkout from a compromised Magento site, the attackers directed them back to the myicon.net site and, instead of retrieving a simple favicon, retrieved code which produced a credit card information form.

credit card

Thus, any information gathered by the criminals on this fake form would be encoded and sent back to them. The victim would believe they made a legitimate purchase while the criminals did what they wanted with the stolen credit card data. So do you still think favicons are innocent?

Invisible Icons

 A number of recent attacks have been made by getting victims to download infected apps, often from legitimate sites. Little did those downloading the apps realize that the icon that came with the app would lead to their victimization.

After downloading the bad app to their Android device, everything would appear to be fine. The app would be installed, and the icon that came with it would appear as it would with any app. The problem only began when they tried to use the app for the first time. Here’s an example from Sophos.

app icon

The app appears as expected here, but this is what happens when the victim tries to open it.

incompatible

After the warning, the victim is automatically directed to the Google Maps page in the Google Play Store which will have the same warning as shown above. At this point, the victim may think that there is some incompatibility issue between the new app and Google Maps. In any event, when the victim looks for the new app, the icon for it has disappeared. The user would probably forget about it. However, the sad truth is that when the victim clicked on the icon, code was installed on their Android device which removed the icon in the process.  From this point on, the invisible app will be presenting the victim with annoyingly visible ads.

Other malicious apps hide under icons that are either exact copies of legitimate app icons or are close approximations of them. Some apps change their icons to generic system icons after they are downloaded. This prevents these apps from being easily removed because no one wants to risk removing important system components.

So far, the goal for most of these devious apps is to present advertisements, but they could do far worse in the wrong hands.

Not So Funny GIFs

 We’ve all seen animated GIFs. Usually, they are of animals doing real stupid things. It’s quite common for good GIFs to be widely shared. Most people who share them are not hackers but, inadvertently, in some cases, they may have been colluding with hackers.

Recently, Microsoft had to fix a vulnerability in its conference software, Teams. The vulnerability could have been exploited to gather account information from everyone on a network. This could be accomplished by sharing a GIF with others on the account network. The person receiving the GIF didn’t even have to open it to be a victim. You can see the flow of this attack in the image below. Notice how account tokens all return to the attacker with their information.

MSFT-Teams-Attack-Flow_Graphic_FINAL-1536x864

Back in 2018, researchers found an infected animated GIF that carried a keylogger. The GIF, shown below seems innocent on the surface and may evade suspicion. It doesn’t seem interesting enough for most people to share. (Don’t worry, the version below holds no malware.) The original contained a keylogger which would capture all of the victims keystrokes, including login information, passwords, messages, and emails.

I suppose the point to be made here is that the more innocent a digital component seems, the more likely it is to be abused.  There’s a very simple reason for this. Hackers need people to trust them. Something seemingly innocent such as an icon, GIF, favicon, or meme is more likely to be trusted or shared with others than a suspicious attachment. It may all lead us to a conclusion reached by Mussolini, “It’s good to trust others but, not to do so is much better.”

One thought on “Evil Favicons,  Invisible Icons, and Not-So-Funny GIFs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s