Magecart Card Skimmers Strike Again

Almost yearly, a major card skimming attack occurs that deserves media attention. Often simply referred to as Magecart attacks, central to these attacks is modifying JavaScript code on the end user side to steal the card data entered by the unsuspecting victim.

To carry out this primary function, hackers have developed several techniques, including, according to newly published research by Akamai, threat actors are hijacking the 404 error pages of online retailers' websites, hiding malicious code to steal customers' credit card information.

Magecart Card Skimmers Strike Again

According to Akamai, the campaign has been seen targeting both Magecart and WooCommerce websites. Some victims of the campaign currently include large organizations in the food and retail industries.

The campaign attracted the attention of security researchers due to the new concealment technique employed by the threat actors.

Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using.

However, in this instance, researchers noted that attacks were carried out by directly exploiting websites and injecting malicious code onto victim websites.

Similar to other Magecart attacks, the attack chain consists of three parts. Security researchers noted the steps include the following three parts:

  • Loader — Short, obscure JavaScript code snippets responsible for loading the complete malicious code of the attack
  • Malicious attack code — The primary JavaScript code that executes the attack; it detects sensitive inputs, reads the data, disrupts the checkout process, and injects fake forms
  • Data exfiltration — The method used to transmit the stolen data to the attacker's command and control (C2) server

Researchers noted that splitting the attack into three separate components is to conceal the attack better, making it harder to detect.

Researchers went on to state,

This allows for the activation of the full flow of the attack only on the specifically targeted pages; that is, because of the obfuscation measures used by the attacker, the activation of the full attack flow can only occur where the attacker intended for it to execute. This makes the attack more discreet and more difficult to detect by security services and external scanning tools that might be in place on the targeted website. Although most Magecart campaigns share similarities in terms of their flow and stages, what sets one campaign apart from another are the various concealment techniques that attackers employ. These techniques are used to obscure the attack’s infrastructure; conceal traces; complicate detection and reverse engineering; and, ultimately, prolong the attack.

404 Not Found

There are currently three versions of the campaign at the time of writing. The first and second variations differ only slightly, and the difference results from the loader used in the attacks.

The third variation was particularly interesting to researchers, as the attackers used the website's default 404 error page to hide their malicious code. This rather creative concealment method appears to be a world-first.

In the third variation of the attack, threat actors will disguise the loader as a Meta Pixel, an analytics tool used by Meta.

Threat actors disguising the loader as a Meta Pixel is a common enough occurrence on most e-commerce websites. In other instances, the loader is simply injected within random inline scripts on the page.

Once the loader is executed, malicious code will be executed that sends a fetch request to a file that doesn't exist, /icons. Naturally, the request will result in a 404 error being served to the victim.

This was incredibly odd, leading researchers to ask if the skimmer was no longer active, and it almost demanded further investigation.

Commenting on this odd occurrence, researchers stated,

We took a step back and reanalyzed the loader, and we found the missing piece of the puzzle. The loader contained a regex match for the string "COOKIE_ANNOT", which was supposed to be performed on the 404 error page returned as part of the icons request.


So, we searched for this string within the returned 404 HTML, and voilà! We discovered a comment hidden toward the end of the page that contained the "COOKIE_ANNOT" string (Figure 14). Next to this string, a long Base64-encoded string was concatenated. This encoded string represents the entire obfuscated JavaScript attack code. The loader extracts this string from the comment, decodes it, and executes the attack, which is designed to steal the personal information entered by users.

Subsequent tests showed that the threat actor successfully altered the default error page for the targeted website and concealed malicious code inside.

The attack is followed by the malicious code serving a fake form that will capture a victim's bank card details. When the form is submitted, the captured data is encrypted and sent to the threat actor's command-and-control server to do what they please.

Researchers concluded that this never-before-seen concealment technique, namely hiding the loader in a 404 error page, shows how Magecart attacks continue to evolve. With increased sophistication, it becomes harder to detect and mitigate.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal