A new Magecart card skimming campaign hijacks the 404 error pages of online retailer's websites, hiding malicious code to steal customers' credit card information.
This technique is one of the three variants observed by researchers of the Akamai Security Intelligence Group, with the other two concealing the code in the HTML image tag's 'onerror' attribute and an image binary to make it appear as the Meta Pixel code snippet.
Akamai says the campaign focuses on Magento and WooCommerce sites, with some victims linked to renowned organizations in the food and retail sectors.
Manipulating 404 pages
All websites feature 404 error pages that are displayed to visitors when accessing a webpage that does not exist, has been moved, or has a dead/broken link.
The Magecart actors leverage the default '404 Not Found' page to hide and load the malicious card-stealing code, which hasn't been seen before in previous campaigns.
"This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns," reads
Akamai's report.
"The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion."
The skimmer loader either disguises itself as a Meta Pixel code snippet or hides within random inline scripts already present on the compromised checkout web page.
The loader initiates a fetch request to a relative path named 'icons,' but as this path does not exist on the website, the request results in a "404 Not Found" error.
Akamai's investigators initially assumed the skimmer was no longer active or the Magecart group had made a configuration mistake. However, upon closer inspection, they found that the loader contained a regular expression match searching for a specific string in the returned HTML of the 404 page.
Upon locating the string on the page, Akamai found a concatenated base64-encoded string concealed in a comment. Decoding that string revealed the JavaScript skimmer, which hides in all 404 pages.
