Magecart Card Skimming Campaign Evolves: Concealing Malicious Code in 404 Error Pages to Steal Credit Card Information

In a recent Magecart card skimming campaign, attackers are utilizing a novel technique by hijacking the 404 error pages of online retailers’ websites to conceal malicious code aimed at stealing customers’ credit card information, according to a Bleeping Computer article. This method, one of three observed by Akamai Security Intelligence Group researchers, involves manipulating the default ‘404 Not Found’ pages to hide and load the card-stealing code, a departure from previous Magecart campaigns.

The campaign specifically targets Magento and WooCommerce sites, with victims including well-known organizations in the food and retail sectors. The attackers employ a skimmer loader disguised as a Meta Pixel code snippet or embedded within random inline scripts on compromised checkout pages.

The loader initiates a fetch request to a non-existent relative path named ‘icons,’ triggering a “404 Not Found” error. However, Akamai’s investigators discovered that the loader, containing a regular expression match, searches for a specific string in the HTML of the 404 page. Once found, this string reveals a concatenated base64-encoded string that conceals the JavaScript skimmer, effectively hidden in all 404 error pages.

The skimmer code presents a fake form for visitors to input sensitive details, such as credit card numbers, expiration dates, and security codes. Subsequently, a fake “session timeout” error is displayed, while behind the scenes, the information is base64-encoded and sent to the attacker through an image request URL.

This manipulation of 404 pages showcases the adaptability and evolving tactics of Magecart actors, making it increasingly challenging for webmasters to detect and sanitize compromised websites. The approach also allows the attackers to evade detection by network traffic monitoring tools, as the data exfiltration request appears benign, resembling a typical image fetch event.