A recent Magecart web skimming campaign is using three concealment techniques, including by hiding the malicious code in the targeted website’s ‘404’ error page, Akamai’s security researchers warn.
Active since at least 2015, the Magecart hackers are known for placing digital skimmers on compromised websites, to steal visitors’ credit card and personal information.
Over the past several weeks, Akamai reports, one of the Magecart groups has been operating a sophisticated and covert campaign targeting numerous websites, including those of large organizations in the food and retail sectors, using various techniques to prevent detection.
Akamai’s analysis of the attack, however, uncovered three variations of the campaign, two of which were mostly similar, except for some loader modifications, and one in which the attackers modified the victim websites’ default 404 error pages to hide their malicious code.
The first variation, Akamai explains, relied on a malformed HTML image tag with an empty src attribute to bypass network scanners and trigger the code’s execution within the context of the page. The code creates a WebSocket channel for covert communication with the command-and-control (C&C) server.
The second campaign variation uses a code snippet closely resembling the Meta Pixel code, to make it appear legitimate. The code would fetch a PNG image from a remote location, which then extracted and executed a loader like the one present in the previous variation.
The third variation used a similar loader too, sometimes masquerading as Meta Pixel code, but which sent a fetch request for a relative path that did not exist, leading to the “404 Not Found” error page of the website.
“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code. These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it,” Akamai notes.
Additionally, this campaign variation also used a different data exfiltration technique, relying on a fake form overlaid on top of the original payment form.
“When the user submits data into the attacker’s fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details,” Akamai explains.