The Akamai Security Intelligence Group has uncovered a new Magecart web skimming campaign that is targeting a wide array of websites, including those associated with large organisations in the food and retail sectors. This campaign is particularly noteworthy for its advanced concealment techniques, one of which manipulates the website's default 404 error page to hide malicious code.
According to Roman Lvovsky, the author of the Akamai report, "This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that poses unique challenges for detection and mitigation."
The campaign has been active for several weeks and targets Magento and WooCommerce websites. It employs three main components: a loader, malicious attack code, and data exfiltration. The loader is responsible for initiating the full malicious code of the attack, while the attack code executes the skimming operation, disrupting the checkout process and injecting fake forms. The data exfiltration component transmits the stolen data to the attacker's command and control server.
Lvovsky elaborates on the campaign's complexity: "The purpose of separating the attack into three parts is to conceal the attack in a way that makes it more challenging to detect. This allows for the activation of the full flow of the attack only on the specifically targeted pages; that is, because of the obfuscation measures used by the attacker, the activation of the full attack flow can only occur where the attacker intended for it to execute."
The campaign has evolved over time, with three different variations identified. The first two variations are similar but employ different loaders. The third variation is unique for its use of the website's default 404 error page to conceal malicious code. "This is a creative concealment technique that we hadn't ever seen before," said Lvovsky.
The third variation also employs a different data exfiltration technique, injecting a fake form that closely resembles the original payment form. When users submit data into this fake form, an error is presented, and they are prompted to re-enter their payment details, thereby capturing sensitive information.
The Akamai report concludes with a warning: "This campaign reinforces the fact that web skimming techniques are constantly evolving. They are becoming more sophisticated, which makes detection and mitigation by static analysis and external scanning increasingly challenging."
Organisations are advised to remain vigilant and explore advanced approaches to protect against these evolving threats, as the level of complexity in such attacks continues to rise.