October 10, 2023 at 08:24AM
Akamai’s security researchers have discovered a new Magecart web skimming campaign that incorporates three concealment techniques. One technique involves hiding malicious code in the targeted website’s ‘404’ error page. The campaign, which targets large organizations in the food and retail sectors, follows the typical Magecart pattern of exploiting vulnerabilities, injecting malicious code, and stealing users’ information. The attackers have also modified the victim websites’ default error pages to conceal their code and have used a fake form overlaid on top of the original payment form for data exfiltration.
Key points from the meeting notes:
1. A recent web skimming campaign by Magecart is using three concealment techniques, including hiding the malicious code in the targeted website’s ‘404’ error page.
2. Magecart hackers have been active since at least 2015 and are known for placing digital skimmers on compromised websites to steal credit card and personal information.
3. The number of attacks attributed to Magecart skimmers has increased after high-profile incidents in 2018, and multiple hacking groups now operate under the Magecart umbrella.
4. Akamai’s security researchers have observed a sophisticated and covert campaign by one Magecart group targeting large organizations in the food and retail sectors, using techniques to avoid detection.
5. The campaign follows a typical Magecart pattern, starting with exploiting vulnerabilities in target websites or their service providers to inject malicious code and steal users’ information.
6. Akamai’s analysis of the attack identified three variations of the campaign. Two variations were similar, with slight loader modifications, while one involved modifying the victim websites’ default 404 error pages to conceal the malicious code.
7. The first variation used a malformed HTML image tag to trigger code execution within the context of the page. It created a WebSocket channel for communication with the command-and-control server.
8. The second variation used a code snippet resembling the Meta Pixel code to fetch and execute a loader.
9. The third variation disguised the loader as Meta Pixel code but sent a fetch request for a non-existent relative path, leading to the 404 error page. The attackers concealed the obfuscated JavaScript attack code within this page.
10. The third variation also used a different data exfiltration technique, overlaying a fake form on top of the original payment form.
11. When users submit data into the fake form, they receive an error message, the fake form is hidden, and they are prompted to re-enter their payment details on the original form.
12. The attackers successfully altered the default error page of the entire website to hide the malicious code.
These are the main takeaways from the meeting notes regarding the recent Magecart web skimming campaign and its concealment techniques.
Full Article – https://ift.tt/KBXThnf