A new Magecart web skimmer campaign has been discovered by researchers from Akamai. This ongoing campaign aims to steal personally identifiable information (PII) and credit card details from users in North America, Latin America, and Europe. Magecart attacks specifically target e-commerce websites by injecting malicious JavaScript code into compromised sites. In this recent campaign, threat actors have taken a different approach by using legitimate websites as makeshift command and control (C2) servers to distribute malware.
To evade detection, the attackers employ several evasion techniques. They obfuscate Base64 and camouflage their attacks to resemble popular third-party services like Google Analytics or Google Tag Manager. By hijacking vulnerable legitimate sites, such as small or medium-sized retail websites, the attackers create a seemingly healthy host for their malicious code. This allows them to deliver the code to any victim they choose, without raising suspicion.
The impact of this campaign is significant, as some victim organizations receive hundreds of thousands of monthly visitors. Consequently, tens of thousands of victims may have been affected by the compromise. Disturbingly, many victims only discovered the attack more than a month after their websites were initially compromised. The attack chain begins with scanning the web for vulnerable legitimate sites and then hacking them to inject the malicious code. By using compromised websites as C2 servers, the attackers can avoid detection and increase the effectiveness of their campaign.
The researchers at Akamai identified two variations of the skimmer code used in this ongoing campaign. The first version is heavily obfuscated and explicitly targets input fields responsible for capturing PII and credit card details. The second version is less obscured, which allowed the researchers to analyze the indicators present in the code and gain insight into the campaign’s scope. Once the data is stolen, the attackers exfiltrate it through a straightforward HTTP request initiated by creating an IMG tag within the software skimmer. The stolen data is encoded as a Base64 string and appended as query parameters.
