CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Magecart Web Skimmer Hides in 404 Error Pages

A newly identified Magecart web skimming campaign is tampering with ‘404’ error pages to hide malicious code.

A recent Magecart web skimming campaign is using three concealment techniques, including by hiding the malicious code in the targeted website’s ‘404’ error page, Akamai’s security researchers warn.

Active since at least 2015, the Magecart hackers are known for placing digital skimmers on compromised websites, to steal visitors’ credit card and personal information.

Following a series of high-profile incidents in 2018, the number of attacks attributed to the skimmers has increased, and numerous hacking groups started operating under the Magecart umbrella.

Over the past several weeks, Akamai reports, one of the Magecart groups has been operating a sophisticated and covert campaign targeting numerous websites, including those of large organizations in the food and retail sectors, using various techniques to prevent detection.

Overall, the campaign follows a typical Magecart pattern, starting with the exploitation of vulnerabilities in the target websites or their service providers to inject malicious code snippets responsible for loading JavaScript code designed to steal users’ information, and then send the data to the attackers.

Akamai’s analysis of the attack, however, uncovered three variations of the campaign, two of which were mostly similar, except for some loader modifications, and one in which the attackers modified the victim websites’ default 404 error pages to hide their malicious code.

The first variation, Akamai explains, relied on a malformed HTML image tag with an empty src attribute to bypass network scanners and trigger the code’s execution within the context of the page. The code creates a WebSocket channel for covert communication with the command-and-control (C&C) server.

The second campaign variation uses a code snippet closely resembling the Meta Pixel code, to make it appear legitimate. The code would fetch a PNG image from a remote location, which then extracted and executed a loader like the one present in the previous variation.

Advertisement. Scroll to continue reading.

The third variation used a similar loader too, sometimes masquerading as Meta Pixel code, but which sent a fetch request for a relative path that did not exist, leading to the “404 Not Found” error page of the website.

On this page, the attackers hid a string representing the entire obfuscated JavaScript attack code, designed to steal visitors’ information.

“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code. These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it,” Akamai notes.

Additionally, this campaign variation also used a different data exfiltration technique, relying on a fake form overlaid on top of the original payment form.

“When the user submits data into the attacker’s fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details,” Akamai explains.

Related: See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack

Related: Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers

Related: Magecart Group Hits 570 Websites in Three Years

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.