To carry out this primary function, hackers have developed several techniques, including, according to newly published research by Akamai, threat actors are hijacking the 404 error pages of online retailers' websites, hiding malicious code to steal customers' credit card information.
According to Akamai, the campaign has been seen targeting both Magecart and WooCommerce websites. Some victims of the campaign currently include large organizations in the food and retail industries.
The campaign attracted the attention of security researchers due to the new concealment technique employed by the threat actors.
Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using.
However, in this instance, researchers noted that attacks were carried out by directly exploiting websites and injecting malicious code onto victim websites.
Similar to other Magecart attacks, the attack chain consists of three parts. Security researchers noted the steps include the following three parts:
- Data exfiltration — The method used to transmit the stolen data to the attacker's command and control (C2) server
Researchers noted that splitting the attack into three separate components is to conceal the attack better, making it harder to detect.
Researchers went on to state,
This allows for the activation of the full flow of the attack only on the specifically targeted pages; that is, because of the obfuscation measures used by the attacker, the activation of the full attack flow can only occur where the attacker intended for it to execute. This makes the attack more discreet and more difficult to detect by security services and external scanning tools that might be in place on the targeted website. Although most Magecart campaigns share similarities in terms of their flow and stages, what sets one campaign apart from another are the various concealment techniques that attackers employ. These techniques are used to obscure the attack’s infrastructure; conceal traces; complicate detection and reverse engineering; and, ultimately, prolong the attack.
404 Not Found
There are currently three versions of the campaign at the time of writing. The first and second variations differ only slightly, and the difference results from the loader used in the attacks.
The third variation was particularly interesting to researchers, as the attackers used the website's default 404 error page to hide their malicious code. This rather creative concealment method appears to be a world-first.
In the third variation of the attack, threat actors will disguise the loader as a Meta Pixel, an analytics tool used by Meta.
Threat actors disguising the loader as a Meta Pixel is a common enough occurrence on most e-commerce websites. In other instances, the loader is simply injected within random inline scripts on the page.
Once the loader is executed, malicious code will be executed that sends a fetch request to a file that doesn't exist, /icons. Naturally, the request will result in a 404 error being served to the victim.
This was incredibly odd, leading researchers to ask if the skimmer was no longer active, and it almost demanded further investigation.
Commenting on this odd occurrence, researchers stated,
We took a step back and reanalyzed the loader, and we found the missing piece of the puzzle. The loader contained a regex match for the string "COOKIE_ANNOT", which was supposed to be performed on the 404 error page returned as part of the icons request.
Subsequent tests showed that the threat actor successfully altered the default error page for the targeted website and concealed malicious code inside.
The attack is followed by the malicious code serving a fake form that will capture a victim's bank card details. When the form is submitted, the captured data is encrypted and sent to the threat actor's command-and-control server to do what they please.
Researchers concluded that this never-before-seen concealment technique, namely hiding the loader in a 404 error page, shows how Magecart attacks continue to evolve. With increased sophistication, it becomes harder to detect and mitigate.