Cybersecurity researchers from Akamai have discovered a new and somewhat creative way hackers were hiding credit card skimmers on ecommerce websites.
Usually, hackers hide malicious code somewhere on the checkout page and steal sensitive payment information (credit card numbers, full names, expiration dates, etc.) during the purchase process.
In this case, however, Akamai found the malicious code hiding in a site’s 404 page.
Innovative approach
Virtually every website on the internet has a 404 page – it’s displayed when a visitor tries to view a website that doesn’t exist, either because the link is broken, the page was moved, or similar. Some pages (mostly Magento and WooCommerce sites), including a few belonging to “renowned organizations” in the food and retail sectors, have had these 404 pages compromised with card-stealing code known as Magecart, something that was never seen before, Akamai claims.
“This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns,” Akamai said in its report. “The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion.”
Even Akamai’s researchers did not spot the malware at first, thinking the skimmer was inactive, or that the hackers made a mistake while configuring it.
“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code,” the researchers said. “These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it!”
Akamai’s researchers also spotted two additional campaigns, one in which the attackers tried to hide the code in the HTML image tag’s ‘onerror’ attribute, and one in which an image binary was tweaked to make it seem as if it’s the Meta Pixel code snippet.
Via BleepingComputer
