October 11, 2023 at 12:53PM
Cybercriminal groups behind the Magecart payment-card theft campaigns have developed a new technique to hide their credit card skimming code. They have started hiding JavaScript code in a comment on a targeted website’s 404 error page. By modifying other pages on the site to include a call to a nonexistent folder, they can fetch the malicious page without being noticed. This technique is highly innovative and offers improved hiding and evasion capabilities for the attackers. The modification of the 404 error page helps them bypass certain security measures. However, this technique could also attract unwanted attention. The Payment Card Industry (PCI) Security Standards Council has introduced new requirements to protect payment pages and prevent these types of attacks.
Key Takeaways:
1. The Magecart cybercriminal groups have developed a new technique to hide their credit card skimming code, allowing them to go undetected for several weeks on major e-commerce sites.
2. The technique involves hiding JavaScript code in a comment on a targeted site’s default 404 page. Other pages on the site are modified slightly to trigger the 404 error and fetch the malicious page.
3. The hidden code is contained within a specific placeholder in the comment, allowing the attacker’s script to retrieve it. This concealment technique is innovative and has not been seen in previous Magecart campaigns.
4. Magecart attacks involve obfuscated JavaScript, hijacking of forms, and malicious redirects to steal credit card information and user data from websites.
5. The code hiding technique in the comments of a default 404 page can evade detection by many scanners and is particularly effective against synthetic scanners that ignore content in requests not returning a 200 OK HTTP code.
6. The modification to default 404 pages is part of the Magecart campaign’s efforts to deliver a payload and maintain persistence. A fake form is overlaid on the original page’s credit card information form, allowing the attackers to collect financial details from targeted users.
7. While the technique is hard to discover, it may not be considered stealthy as it attracts attention due to the call to a nonexistent resource. Other Magecart groups tend to avoid this delivery method.
8. The Payment Card Industry (PCI) Security Standards Council has introduced the latest version of its Data Security Standard (DSS) to address Magecart attacks. The requirements aim to protect payment pages and detect unauthorized code injection.
9. Online merchants are expected to comply with the PCI-DSS 4.0 requirements by early 2025, even if they outsource storage, processing, and transmission of account data to payment service providers.
10. The ever-changing third-party code used by modern websites bypasses traditional security controls, providing attackers with opportunities to exploit vulnerabilities through malicious script attacks.