Pierluigi Paganini October 12, 2023

Researchers observed a new Magecart web skimming campaign changing the websites’ default 404 error page to steal credit cards.

Researchers from the Akamai Security Intelligence Group uncovered a Magecart web skimming campaign that is manipulating the website’s default 404 error page to hide malicious code.

The attacks are targeting a large number of Magento and WooCommerce websites, including large organizations in the food and retail industries.

“In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources.” reads the report published by Akamai.

“In some instances, the malicious code was inserted into the HTML pages; in other cases, it was concealed within one of the first-party scripts that was loaded as part of the website.”

The attack chain of this campaign consists of three main parts: loader, malicious attack code, and data exfiltration.

1. Loader — Short, obscure JavaScript code snippets responsible for loading the full malicious code of the attack
2. Malicious attack code — The primary JavaScript code that executes the attack; it detects sensitive inputs, reads the data, disrupts the checkout process, and injects fake forms
3. Data exfiltration — The method used to transmit the stolen data to the attacker’s command and control (C2) server

The researchers observed three variations of the attack flaw, in two of them the software skimmer injected a malformed HTML image tag with an onerror attribute into the exploited website

In the third variant, once the loader is executed, the attack sends a fetch request to /icons, which is a relative path that doesn’t actually exist. This request causes a “404 Not Found” error.

The analysis of the loader revealed the presence of a regex match for the string “COOKIE_ANNOT” in the 404 HTML.

After this string, a lengthy Base64-encoded string has been appended. This encoded string is the obfuscated JavaScript attack code. The loader retrieves this string from the comment, decodes it, and initiates the attack, stealing the personal information provided by users.

Unlike variations one and two, data exfiltration in the third variation relies on the injection of fake form that closely resembles the original payment form and overlays it.

Upon the user’s submission of data into the counterfeit form, an error message is displayed. Then the fake form is concealed, the legitimate payment form reappears, and the user is instructed to re-enter their payment information.

The stolen data are sent to the server as a Base64-encoded string in the query parameter of an image network request to the attacker’s C2 server-

“This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns. The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion.” concludes the report.

“In some of the cases we’ve identified, the malicious loader had already been removed from the affected websites’ pages at the time of writing. However, the malicious comment in the default 404 page remained, potentially allowing the skimmer to easily reactivate the attack. This highlights the complexity of detecting, and the importance of mitigating, this approach.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart web skimming campaign)