Magecart Hackers Hide in 404 Error Pages

Written by

Researchers have discovered a novel digital skimming campaign that hides malicious code in 404 pages to avoid detection.

Akamai security researcher, Roman Lvovsky, explained in a blog post yesterday that the attacks have been targeting Magento and WooCommerce websites, including some belonging to large organizations in the food and retail sectors.

Magecart attacks typically work by exploiting vulnerabilities in targeted websites, or third-party services that the websites are using, in order to deploy skimming malware onto payment pages. 

As usual, the attacks are split into three distinct phases to make them harder to detect: loader, malicious attack code and data exfiltration.

Read more on Magecart attacks: Magecart Supply Chain Attacks Hit Hundreds of Restaurants

“After the loader is executed, the attack sends a fetch request to /icons, which is a relative path that doesn’t actually exist. This request led to a ‘404 Not Found’ error,” he continued.

“Upon analysis of the HTML returned in the response, it seemed like the default 404 page of the website. This was confusing and made us wonder if the skimmer was no longer active on the victim websites we found.”

However, on closer inspection, Akamai found a “regex match” in the loader for the string “COOKIE_ANNOT” that was present in the HTML of the 404 page. Next to this string it found a long Base64-encoded string, which in fact represented obfuscated JavaScript attack code.

“The loader extracts this string from the comment, decodes it, and executes the attack, which is designed to steal the personal information entered by users,” Lvovsky explained.

“We simulated additional requests to non-existent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code. These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it.”

Akamai discovered two additional attack variants: one that hid the malicious loader code in an improperly formatted HTML image tag with a onerror attribute, and another which hid malicious loader code in an inline script disguised as Meta Pixel code. The latter is a well-known Facebook visitor activity tracking service.

What’s hot on Infosecurity Magazine?