A new Magecart card skimming campaign has been discovered, employing a unique method to steal credit card information from online retailers. This campaign targets Magento and WooCommerce sites, affecting some prominent players in the food and retail sectors.
Furthermore, the attackers utilize a novel technique by hijacking the 404 error pages of these websites to hide and execute their malicious code. This approach, not seen in previous Magecart campaigns, poses a significant challenge to webmasters and website security.
The Magecart actors make use of the default ‘404 Not Found’ error page to conceal and load their card-stealing code, making it difficult to detect. Akamai Security Intelligence Group, the researchers behind the discovery, consider this concealment technique highly innovative and unprecedented in Magecart campaigns. The attackers employ a skimmer loader that disguises itself as a Meta Pixel code snippet or hides within existing inline scripts on compromised checkout pages.
To execute their attack, the loader initiates a fetch request to a relative path named ‘icons,’ generating a “404 Not Found” error since the path doesn’t exist on the website. Upon closer examination, Akamai investigators discovered that the loader used regular expressions to search for a specific string in the HTML of the 404 page. This string led them to a concatenated base64-encoded string hidden in a comment, revealing the JavaScript skimmer present on all 404 pages.
The skimmer code creates a fake form for website visitors to enter sensitive information like credit card numbers, expiration dates, and security codes. After inputting this data, victims receive a fake “session timeout” error. The skimmer then encodes and sends all the stolen information to the attacker via an image request URL, effectively evading detection by appearing as a benign image fetch event.
This campaign underscores the evolving tactics of Magecart actors, making it increasingly challenging to detect and remove their malicious code from compromised websites.
