Magecart Card Skimmers Strike Again
Written by Karolis Liucveikis on
Almost yearly, a major card skimming attack occurs that deserves media attention. Often simply referred to as Magecart attacks, central to these attacks is modifying JavaScript code on the end user side to steal the card data entered by the unsuspecting victim.
To carry out this primary function, hackers have developed several techniques, including, according to newly published research by Akamai, threat actors are hijacking the 404 error pages of online retailers' websites, hiding malicious code to steal customers' credit card information.
According to Akamai, the campaign has been seen targeting both Magecart and WooCommerce websites. Some victims of the campaign currently include large organizations in the food and retail industries.
The campaign attracted the attention of security researchers due to the new concealment technique employed by the threat actors.
Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using.
However, in this instance, researchers noted that attacks were carried out by directly exploiting websites and injecting malicious code onto victim websites.
Similar to other Magecart attacks, the attack chain consists of three parts. Security researchers noted the steps include the following three parts:
- Loader — Short, obscure JavaScript code snippets responsible for loading the complete malicious code of the attack
- Malicious attack code — The primary JavaScript code that executes the attack; it detects sensitive inputs, reads the data, disrupts the checkout process, and injects fake forms
- Data exfiltration — The method used to transmit the stolen data to the attacker's command and control (C2) server
Researchers noted that splitting the attack into three separate components is to conceal the attack better, making it harder to detect.
Researchers went on to state,
This allows for the activation of the full flow of the attack only on the specifically targeted pages; that is, because of the obfuscation measures used by the attacker, the activation of the full attack flow can only occur where the attacker intended for it to execute. This makes the attack more discreet and more difficult to detect by security services and external scanning tools that might be in place on the targeted website. Although most Magecart campaigns share similarities in terms of their flow and stages, what sets one campaign apart from another are the various concealment techniques that attackers employ. These techniques are used to obscure the attack’s infrastructure; conceal traces; complicate detection and reverse engineering; and, ultimately, prolong the attack.
404 Not Found
There are currently three versions of the campaign at the time of writing. The first and second variations differ only slightly, and the difference results from the loader used in the attacks.
The third variation was particularly interesting to researchers, as the attackers used the website's default 404 error page to hide their malicious code. This rather creative concealment method appears to be a world-first.
In the third variation of the attack, threat actors will disguise the loader as a Meta Pixel, an analytics tool used by Meta.
Threat actors disguising the loader as a Meta Pixel is a common enough occurrence on most e-commerce websites. In other instances, the loader is simply injected within random inline scripts on the page.
Once the loader is executed, malicious code will be executed that sends a fetch request to a file that doesn't exist, /icons. Naturally, the request will result in a 404 error being served to the victim.
This was incredibly odd, leading researchers to ask if the skimmer was no longer active, and it almost demanded further investigation.
Commenting on this odd occurrence, researchers stated,
We took a step back and reanalyzed the loader, and we found the missing piece of the puzzle. The loader contained a regex match for the string "COOKIE_ANNOT", which was supposed to be performed on the 404 error page returned as part of the icons request.
And,
So, we searched for this string within the returned 404 HTML, and voilà! We discovered a comment hidden toward the end of the page that contained the "COOKIE_ANNOT" string (Figure 14). Next to this string, a long Base64-encoded string was concatenated. This encoded string represents the entire obfuscated JavaScript attack code. The loader extracts this string from the comment, decodes it, and executes the attack, which is designed to steal the personal information entered by users.
Subsequent tests showed that the threat actor successfully altered the default error page for the targeted website and concealed malicious code inside.
The attack is followed by the malicious code serving a fake form that will capture a victim's bank card details. When the form is submitted, the captured data is encrypted and sent to the threat actor's command-and-control server to do what they please.
Researchers concluded that this never-before-seen concealment technique, namely hiding the loader in a 404 error page, shows how Magecart attacks continue to evolve. With increased sophistication, it becomes harder to detect and mitigate.
▼ Show Discussion