Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 949
- Points
- 113
A new Magecart card skimming campaign uses modified 404 error pages on online shopping websites, hiding malicious code to steal customers' credit card information.
The campaign was reported by Akamai Security Intelligence Group researchers. It focuses on Magento and WooCommerce sites, with some of its victims associated with well-known organizations in the food and retail industries.
Hackers hide malicious code in the onerror attribute of an HTML image tag and the image binary file to make it appear as a Meta Pixel code snippet.
The download skimmer may also be located in random embedded scripts already present on the compromised checkout web page.
The loader contains a regular expression match to look for a specific string in the returned 404 page HTML. Deciphering this string revealed a JavaScript skimmer that is hiding on all 404 pages of the site. This confirms that the attackers successfully changed the default error page for the entire site and hid malicious code on it.
The skimmer code displays a fake form that website visitors must fill out with sensitive information, including their credit card number, expiration date, and CVC.
The victim then sees a fake error page when completing the payment session.
In the background, all information is Base64 encoded and sent to the attacker via an image request URL containing a string as a request parameter.
This approach helps avoid detection by network traffic monitoring tools because the request appears as a harmless image fetch event. However, decoding the base64 string reveals personal and credit card information.
The campaign was reported by Akamai Security Intelligence Group researchers. It focuses on Magento and WooCommerce sites, with some of its victims associated with well-known organizations in the food and retail industries.
Hackers hide malicious code in the onerror attribute of an HTML image tag and the image binary file to make it appear as a Meta Pixel code snippet.
The download skimmer may also be located in random embedded scripts already present on the compromised checkout web page.
The loader contains a regular expression match to look for a specific string in the returned 404 page HTML. Deciphering this string revealed a JavaScript skimmer that is hiding on all 404 pages of the site. This confirms that the attackers successfully changed the default error page for the entire site and hid malicious code on it.
The skimmer code displays a fake form that website visitors must fill out with sensitive information, including their credit card number, expiration date, and CVC.
The victim then sees a fake error page when completing the payment session.
In the background, all information is Base64 encoded and sent to the attacker via an image request URL containing a string as a request parameter.
This approach helps avoid detection by network traffic monitoring tools because the request appears as a harmless image fetch event. However, decoding the base64 string reveals personal and credit card information.
