Hackers modify online stores’ 404 pages to steal credit cards


Level 78
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
A new Magecart card skimming campaign hijacks the 404 error pages of online retailer's websites, hiding malicious code to steal customers' credit card information.

This technique is one of the three variants observed by researchers of the Akamai Security Intelligence Group, with the other two concealing the code in the HTML image tag's 'onerror' attribute and an image binary to make it appear as the Meta Pixel code snippet.

Akamai says the campaign focuses on Magento and WooCommerce sites, with some victims linked to renowned organizations in the food and retail sectors.

Manipulating 404 pages

All websites feature 404 error pages that are displayed to visitors when accessing a webpage that does not exist, has been moved, or has a dead/broken link.

The Magecart actors leverage the default '404 Not Found' page to hide and load the malicious card-stealing code, which hasn't been seen before in previous campaigns.

"This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns," reads Akamai's report.

"The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion."

The skimmer loader either disguises itself as a Meta Pixel code snippet or hides within random inline scripts already present on the compromised checkout web page.

The loader initiates a fetch request to a relative path named 'icons,' but as this path does not exist on the website, the request results in a "404 Not Found" error.

Akamai's investigators initially assumed the skimmer was no longer active or the Magecart group had made a configuration mistake. However, upon closer inspection, they found that the loader contained a regular expression match searching for a specific string in the returned HTML of the 404 page.

Upon locating the string on the page, Akamai found a concatenated base64-encoded string concealed in a comment. Decoding that string revealed the JavaScript skimmer, which hides in all 404 pages.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.