Magecart Card Skimming Campaign Evolves: Concealing Malicious Code in 404 Error Pages to Steal Credit Card Information
October 18, 2023
In a recent Magecart card skimming campaign, attackers are utilizing a novel technique by hijacking the 404 error pages of online retailers’ websites to conceal malicious code aimed at stealing customers’ credit card information, according to a Bleeping Computer article. This method, one of three observed by Akamai Security Intelligence Group researchers, involves manipulating the default ‘404 Not Found’ pages to hide and load the card-stealing code, a departure from previous Magecart campaigns.
The campaign specifically targets Magento and WooCommerce sites, with victims including well-known organizations in the food and retail sectors. The attackers employ a skimmer loader disguised as a Meta Pixel code snippet or embedded within random inline scripts on compromised checkout pages.
The skimmer code presents a fake form for visitors to input sensitive details, such as credit card numbers, expiration dates, and security codes. Subsequently, a fake “session timeout” error is displayed, while behind the scenes, the information is base64-encoded and sent to the attacker through an image request URL.
This manipulation of 404 pages showcases the adaptability and evolving tactics of Magecart actors, making it increasingly challenging for webmasters to detect and sanitize compromised websites. The approach also allows the attackers to evade detection by network traffic monitoring tools, as the data exfiltration request appears benign, resembling a typical image fetch event.
Read full article at:
Share this post: