A recent Magecart web skimming campaign is using three concealment techniques, including by hiding the malicious code in the targeted website’s ‘404’ error page, Akamai’s security researchers warn.
Active since at least 2015, the Magecart hackers are known for placing digital skimmers on compromised websites, to steal visitors’ credit card and personal information.
Following a series of high-profile incidents in 2018, the number of attacks attributed to the skimmers has increased, and numerous hacking groups started operating under the Magecart umbrella.
Over the past several weeks, Akamai reports, one of the Magecart groups has been operating a sophisticated and covert campaign targeting numerous websites, including those of large organizations in the food and retail sectors, using various techniques to prevent detection.
Overall, the campaign follows a typical Magecart pattern, starting with the exploitation of vulnerabilities in the target websites or their service providers to inject malicious code snippets responsible for loading JavaScript code designed to steal users’ information, and then send the data to the attackers.
Akamai’s analysis of the attack, however, uncovered three variations of the campaign, two of which were mostly similar, except for some loader modifications, and one in which the attackers modified the victim websites’ default 404 error pages to hide their malicious code.
The first variation, Akamai explains, relied on a malformed HTML image tag with an empty src attribute to bypass network scanners and trigger the code’s execution within the context of the page. The code creates a WebSocket channel for covert communication with the command-and-control (C&C) server.
The second campaign variation uses a code snippet closely resembling the Meta Pixel code, to make it appear legitimate. The code would fetch a PNG image from a remote location, which then extracted and executed a loader like the one present in the previous variation.
The third variation used a similar loader too, sometimes masquerading as Meta Pixel code, but which sent a fetch request for a relative path that did not exist, leading to the “404 Not Found” error page of the website.
On this page, the attackers hid a string representing the entire obfuscated JavaScript attack code, designed to steal visitors’ information.
“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code. These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it,” Akamai notes.
Additionally, this campaign variation also used a different data exfiltration technique, relying on a fake form overlaid on top of the original payment form.
“When the user submits data into the attacker’s fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details,” Akamai explains.
Related: See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack
Related: Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers