Magecart Card Skimming Campaign Targets 404 Error Pages

In a concerning development, a new Magecart card skimming campaign has emerged, posing a significant threat to online retailers and their customers.This campaign employs innovative techniques to hide malicious code and steal sensitive credit card information.

Akamai Security Intelligence Group researchers have identified three distinct variants of this campaign.Also, it comes with one particularly novel approach involving the manipulation of 404 error pages on targeted websites.

This technique is aimed primarily at Magento and WooCommerce sites and has already impacted several well-known organizations.

Innovative Concealment Technique on 404 Error Pages

Magecart actors are notorious for their ability to adapt and evolve their tactics. In this latest campaign, they have leveraged 404 error pages, a feature present on all websites, to hide and execute their malicious card-stealing code.

What sets this technique apart is its unprecedented use of the default 404 Not Found' page. Akamai's report states, This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns.

Manipulating a targeted website's default 404 error page can offer Magecart actors various creative options for improved hiding and evasion."Notably, the skimmer loader, responsible for injecting the malicious code, employs a dual strategy.

It disguises itself as a Meta Pixel code snippet or conceals itself within existing inline scripts on the compromised web page.This loader initiates a fetch request to a relative path named icons. This icon does not exist on the website, resulting in a 404 Not Found" error.

Initially, Akamai investigators assumed that the skimmer might be inactive or that the Magecart group had made a configuration mistake.However, upon closer examination, they discovered that the loader was actively seeking a specific string within the HTML of the 404 page.

Once this string was located, a base64-encoded JavaScript skimmer was uncovered, hidden within a comment.This skimmer was found to be present on all 404 pages of the compromised website.

Stealing Data Discreetly

The Magecart skimmer code adopts a deceptive approach by displaying a fake payment form to website visitors.Unsuspecting users are prompted to enter sensitive information such as their credit card number, expiration date, and security code.

Once this data is submitted on the fraudulent form, victims are presented with a fake session timeout" error. Behind the scenes, all the entered information is base64-encoded and transmitted to the attacker via an image request URL.

This technique obfuscates the data exfiltration process, making it appear as a harmless image fetch event. However, upon decoding the base64 string, the attacker gains access to personal and credit card information. This ends up putting victims at risk of fraud and identity theft.

This case involving the manipulation of 404 error pages underscores the ever-evolving tactics and adaptability of Magecart actors.They continually raise the bar, making it increasingly challenging for webmasters to detect and remove their malicious code from compromised websites.

This not only highlights the need for enhanced security measures. It also emphasizes the importance of ongoing vigilance and proactive cybersecurity efforts to safeguard customer data and online transactions.

The post Magecart Card Skimming Campaign Targets 404 Error Pages appeared first on The Tech Report.