eCommerceNews Australia - Technology news for digital commerce decision-makers
Australia
Guides
#
business intelligence
#
commerce systems
#
customer data platforms
#
marketing technologies
#
payment gateways
Search
Story image
#
Cybersecurity
#
Akamai
#
CIOs
Magecart web skimming threat targets food and retail
Wed, 11th Oct 2023
Author image
By Sean Mitchell, Publisher
Follow us

The Akamai Security Intelligence Group has uncovered a new Magecart web skimming campaign that is targeting a wide array of websites, including those associated with large organisations in the food and retail sectors. This campaign is particularly noteworthy for its advanced concealment techniques, one of which manipulates the website's default 404 error page to hide malicious code.

According to Roman Lvovsky, the author of the Akamai report, "This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that poses unique challenges for detection and mitigation."

The campaign has been active for several weeks and targets Magento and WooCommerce websites. It employs three main components: a loader, malicious attack code, and data exfiltration. The loader is responsible for initiating the full malicious code of the attack, while the attack code executes the skimming operation, disrupting the checkout process and injecting fake forms. The data exfiltration component transmits the stolen data to the attacker's command and control server.

Lvovsky elaborates on the campaign's complexity: "The purpose of separating the attack into three parts is to conceal the attack in a way that makes it more challenging to detect. This allows for the activation of the full flow of the attack only on the specifically targeted pages; that is, because of the obfuscation measures used by the attacker, the activation of the full attack flow can only occur where the attacker intended for it to execute."

The campaign has evolved over time, with three different variations identified. The first two variations are similar but employ different loaders. The third variation is unique for its use of the website's default 404 error page to conceal malicious code. "This is a creative concealment technique that we hadn't ever seen before," said Lvovsky.

The third variation also employs a different data exfiltration technique, injecting a fake form that closely resembles the original payment form. When users submit data into this fake form, an error is presented, and they are prompted to re-enter their payment details, thereby capturing sensitive information.

The Akamai report concludes with a warning: "This campaign reinforces the fact that web skimming techniques are constantly evolving. They are becoming more sophisticated, which makes detection and mitigation by static analysis and external scanning increasingly challenging."

Organisations are advised to remain vigilant and explore advanced approaches to protect against these evolving threats, as the level of complexity in such attacks continues to rise.

Related stories
Half of online traffic in 2024 generated by bots, report finds
Ingram Micro Experience 2024 coming to Australia in May
AUCloud & Command Hub unite to launch CrisisHub platform
GitHub launches code scanning autofix for advanced security customers
Akamai & Fujitsu extend partnership for ANZ cloud services
Top stories
CompliantERP tops as 2024 Australian IT Small Business Champion
Cash Chasm report reveals drawbacks of manual cash management
GumGum integrates Playground xyz into APAC ad suite
TeamViewer & Manhattan Associates team up for warehouse digitisation
GoCardless & Intuit QuickBooks target late payments for Aussie SMBs