Akamai researchers discovered a new Magecart web skimming campaign that conceals malicious code in 404 error pages. The campaign is targeting an extensive list of Magento and WooCommerce websites, including those belonging to large organizations in the food and retail industries.
While typical Magecart attacks abuse vulnerabilities in the targeted websites or infect the third-party services used by sites, the new campaign injects malicious code in site’s first-party resources such as the HTML pages or the first-party scripts loaded as part of the website.
The researchers said they detected three variations of the new Magecart campaign, two of them quite similar with minor differences in loaders, while the third attack variant used the website's default 404 error page to hide the malicious code - a previously unseen technique in such campaigns.
In this attack, a fetch request for a relative path that did not exist was sent after the loader was downloaded, leading to the “404 Not Found” error page of the website. Re-analysis of the loader revealed that it contained a regex match for the string "COOKIE_ANNOT", which was supposed to be performed on the 404 error page returned as part of the icons request.
Digging deeper, the researchers found a comment hidden toward the end of the page that contained the "COOKIE_ANNOT" string next to which a long Base64-encoded string was concatenated.
“This encoded string represents the entire obfuscated JavaScript attack code. The loader extracts this string from the comment, decodes it, and executes the attack, which is designed to steal the personal information entered by users,” Akamai said.
