A Magecart attack is a type of digital credit card skimming attack where malicious code is injected into e-commerce websites to steal payment card information from unsuspecting customers during online transactions.
KEY FINDINGS
- Akamai has discovered a new Magecart campaign in which scammers manipulate the default 404 error messages to inject malicious code.
- The malicious code is injected as bogus Meta Pixel code or an inline script.
- The skimmer overlays a checkout form exactly as those generated by genuine e-comm websites for capturing shoppers’ financial data.
- The data is exfiltrated as a Base64-encoded string.
- Magento and WooCommerce websites are the key targets in this campaign.
- Large organizations in the retail and food sectors are prominent targets.
Akamai Security Intelligence Group’s researchers have noticed a much more sophisticated and creative wave of Magecart attacks in a newly detected digital skimming campaign. The unique aspect of this campaign is that scammers are exploiting the 404 errors generated by websites to steal sensitive financial data.
In the blog post published Monday, Akamai security researcher Roman Lvovsky wrote that malicious code is injected into 404 error pages, mainly Magento and WooCommerce websites. The websites were directly exploited, and the malicious code snippet was added to one of their “first-party resources.”
In this campaign, the recurring targets are large organizations from the retail and food sectors. The attack is divided into three parts, making it a challenge for researchers and scanning tools to detect it. Moreover, it helps activate the attack in full flow on the targeted pages.
Lvovsky explained that Magecart attacks involve exploiting vulnerabilities in targeted websites or in third-party services used by those websites to deploy skimming malware on their payment pages. Once the loader gets executed, the malware sends a fetch request to a relative path “/icons” that doesn’t exist, and the request leads to the 404 Not Found Error.
“Upon analysis of the HTML returned in the response, it seemed like the default 404 page of the website. This was confusing and made us wonder if the skimmer was no longer active on the victim websites we found.”
Roman Lvovsky – Akamai
Tip: How to check for websites hacked to run web skimming, magecart attack
Further probing revealed a regex match in the loader for the COOKIE_ANNOT string in the HTML of the error 404 page, and a lengthy Base64-encoded string was next to it, which contained the obfuscated JavaScript attack code.
What happens is that the loader extracts the string from the comment to decode and then executes the attack. When the JavaScript skimmer gets activated, a fake checkout form is displayed, and visitors are prompted to enter sensitive data, including credit card details, expiration date, and security code. A fake Session Timeout error follows this while the exfiltrated data is transferred to a remote server through an image request URL disguised as an image fetch event to evade detection by network traffic monitoring services.
When researchers simulated more requests to that path, all returned the same error page containing the malicious code. This means the attackers could modify the default error page for the website and successfully inject the malicious code.
Akamai detected two more variants of this attack. One hides the malicious code in an inappropriately formatted HTML image tag with an onerror attribute. The other hides the code in an inline script disguised as Meta Pixel code, a popular Facebook visitor activity tracking service.
A Magecart attack involves adding malicious code into e-comm websites to steal users’ personal and financial data. End-users must remain vigilant when entering data on websites. It is essential to keep website plugins and software up-to-date and filter out malicious traffic with a web application firewall. Lastly, implement CSP (content security policy) to restrict the types of scripts websites can execute.
RELATED ARTICLES
- 100s of schools at risk after Magecart attack on Wisepay
- Major Magecart skimming attack hits 8 local US government sites
- Magecart hackers launched largest ever attack against Magento stores
- Lazarus hackers use Magecart attack to steal card data from EU, US sites
- Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions