This summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico) to hide JavaScript credit card stealers on compromised e-commerce sites.
In a tweet, Affable Kraut also reported another similar obfuscation technique using .ico files to conceal JavaScript skimmers.
Just something I’ve noticed more recently with digital skimmers/#magecart. Obfuscated code that has a weird google-analytics[.]com URL in it, which is the proper Google controlled domain.
Continue reading CSS-JS Steganography in Fake Flash Player Update Malware at Sucuri Blog.