Cybersecurity researchers at Akamai have discovered a new and somewhat creative way hackers hid credit card skimmers on e-commerce websites.
Typically, hackers hide malicious code somewhere on the checkout page and steal sensitive payment information (credit card numbers, full names, expiration dates, etc.) during the purchase process.
In this case, however, Akamai discovered that the malicious code was hidden on a site’s 404 page.
Innovative approach
Almost every website on the Internet has a 404 page. This appears when a visitor tries to view a website that doesn’t exist, either because the link is broken, the page has been moved, or something similar. On some pages (mainly Magento and WooCommerce sites), including some belonging to ‘reputable organisations’ in the food and retail sectors, these 404 pages have been compromised with card stealing code known as Magecart, something never seen before, Akamai claims .
“This camouflage technique is very innovative and something we haven’t seen in previous Magecart campaigns,” Akamai said in its report. “The idea of manipulating the default 404 error page of a targeted website could provide Magecart actors with several creative options for improved stealth and evasion.”
Even Akamai researchers didn’t detect the malware at first, thinking the skimmer was inactive or the hackers had made a mistake while configuring it.
“We simulated additional requests to non-existent paths and they all returned the same 404 error page with the comment containing the encoded malicious code,” the researchers said. “These checks confirm that the attacker successfully changed the default error page for the entire website and hid the malicious code within it!”
Akamai researchers also discovered two additional campaigns: one in which the attackers attempted to hide code in the ‘onerror’ attribute of the HTML image tag, and one in which a binary image file was modified to make it appear as if it were the Meta Pixel code snippet.
Through BleepingComputer