Unauthorized Modifications to Online Retailers’ 404 Pages Expose Customer Data
Unauthorized Modifications to Online Retailers’ 404 Pages Expose Customer Data

Sigmund (unsplash)

Recently, a fresh Magecart card skimming tactic has been identified where cyber attackers manipulate the 404 error pages of online retailers. These pages, generally seen when a user tries to access a non-existent or relocated webpage, are now being used to embed malicious code aimed at extracting customers’ credit card details.

This ingenious method was among three strategies noted by the Akamai Security Intelligence Group. The other two strategies involve embedding the malicious code within the HTML image tag’s ‘onerror’ attribute and disguising it within an image binary, presenting it as a Meta Pixel code snippet.

The campaign predominantly targets Magento and WooCommerce platforms. Several of the affected entities are affiliated with esteemed entities within the food and retail domains.

Regarding the 404 Manipulation

404 error pages are a staple of all websites, serving as indicators for inaccessible or moved web pages. The cyber actors from Magecart have started using the standard ‘404 Not Found’ page as a cover for their malicious operations, a method not witnessed in their earlier campaigns.

Akamai’s report highlights the novelty of this technique, pointing out that adapting the standard 404 error page gives the Magecart individuals a variety of innovative avenues for better concealment and evasion.

The skimming code either presents itself as a Meta Pixel code snippet or nestles amongst random inline scripts on the tainted checkout webpage.

When the loader tries to access a path titled ‘icons’ which doesn’t exist, it results in a “404 Not Found” error. Initially, Akamai’s team theorized that the skimmer was either inactive or had been incorrectly set up by Magecart. However, deeper analysis revealed a regular expression within the loader, which scans for a particular string in the 404 page’s returned HTML.

Discovering this string led Akamai to a base64-encoded sequence discreetly located within a comment. This decoded sequence was the JavaScript skimmer present on all 404 pages. Akamai further observed that any attempt to access unavailable paths led to the same 404 page with the maliciously coded comment.

What makes this technique so insidious is its camouflage. Due to the request originating from a first-party path, many security systems overlook it, deeming it non-suspicious.

Data Extraction Method

The skimming code pops up a counterfeit form prompting site visitors to enter sensitive information, encompassing their credit card details. Following the data input, users are shown a misleading “session timeout” notification.

Simultaneously, the input details are encoded in base64 format and relayed to the cyber attacker via an image request URL that contains the encoded data string. This method cleverly bypasses detection from network monitoring tools since it masquerades as an innocent image retrieval action. Yet, when the base64 sequence is decoded, it divulges the personal and financial data.

The manipulation of 404 pages underscores the adaptable strategies and dexterity of Magecart operatives. They persistently challenge web administrators by concealing their harmful code on infiltrated websites, making the removal process increasingly intricate.