A new digital skimming campaign has been uncovered by researchers, which utilizes 404 pages to hide malicious code and avoid detection. The attacks primarily target Magento and WooCommerce websites, including those belonging to large organizations in the food and retail sectors. This type of attack, known as Magecart attacks, typically exploit vulnerabilities in targeted websites or third-party services used by the websites to deploy skimming malware onto payment pages.
To evade detection, the attackers divide their actions into three distinct phases: loader, malicious attack code, and data exfiltration. The loader is executed first, followed by a fetch request to a non-existent relative path, resulting in a ‘404 Not Found’ error. Upon analyzing the HTML response, it appears as the default 404 page of the website, leading to confusion regarding the presence of the skimmer on the victim websites.
However, further investigation by Akamai, a security researcher, revealed a “regex match” in the loader for the string “COOKIE_ANNOT” in the HTML of the 404 page. In close proximity to this string, a long Base64-encoded string was discovered, which actually represented obfuscated JavaScript attack code. The loader extracts and decodes this string, executing the attack designed to steal users’ personal information.
To confirm their findings, Akamai conducted additional requests to non-existent paths, all of which resulted in the same 404 error page containing the encoded malicious code. These checks verified that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it.
In addition to the aforementioned variant, Akamai uncovered two other attack variants during their investigation. The first variant involved hiding the malicious loader code within an improperly formatted HTML image tag that included an onerror attribute. The second variant disguised the malicious loader code as Meta Pixel code, which is a well-known Facebook visitor activity tracking service.
This discovery highlights the evolving tactics employed by cybercriminals to compromise websites and steal sensitive information. By exploiting commonly overlooked elements, such as 404 error pages, attackers can obfuscate their malicious activities and evade security measures. It is crucial for organizations to remain vigilant and employ robust security measures to protect their websites and customer data.
The implications of these skimming campaigns are significant, particularly for organizations in the food and retail sectors that have been targeted. Considering the large number of customers and transactions involved, the potential impact on individuals and businesses can be substantial. The stolen personal information can be exploited for various malicious purposes, including identity theft and financial fraud.
To mitigate the risk of falling victim to such attacks, organizations should implement security measures such as regular vulnerability assessments, patch management, and strict access controls. It is also advisable to utilize web application firewalls and employ code review processes to identify and remediate any potential vulnerabilities in websites and third-party services.
Furthermore, educating employees about the risks and best practices for cybersecurity is crucial. Human error remains a significant contributing factor to successful attacks, so fostering a security-conscious culture within the organization can significantly enhance overall defense measures.
As the threat landscape continues to evolve, it is imperative for security researchers and organizations to remain proactive in their efforts to detect and combat cyber threats. The discovery of this skimming campaign serves as a reminder of the importance of ongoing research and collaboration to stay one step ahead of malicious actors. By sharing insights and knowledge, the cybersecurity community can collectively develop effective countermeasures to safeguard businesses and individuals from emerging threats.