Diving into details
Magecart attacks usually exploit vulnerabilities in websites or infect third-party services.
- In this recent campaign, the malicious code was directly injected into the victim’s resources, either within their HTML pages or concealed within the website’s first-party scripts.
- This campaign’s attack infrastructure is structured in three segments: a loader, the main malicious attack code, and data exfiltration.
- Such triad approach masks the full attack flow, activating it only on specific targeted pages, making detection by security tools or external scanners much more challenging.
The three-faced campaign
- The attackers had injected a malformed HTML image tag embedded with an obfuscated Base64-encoded malicious loader, allowing the skimmer to sidestep usual security protocols.
- Once it’s activated, a WebSocket channel is initiated, establishing a bridge for communication between the browser and the attacker’s command and control server.
- This variation introduced an inline script that resembles the Facebook Meta Pixel tracking service but with additional malicious lines.
- The skimmer fetches a PNG image from the site’s directory that has been tampered with to contain malicious code.
- Upon execution of the third variation’s loader, the attack initiates a fetch request to a seemingly innocuous path labeled ‘icons’. However, this path doesn’t exist on the website, resulting in a “404 Not Found” error.
- Further testing revealed that any requests to non-existent paths returned the same manipulated 404 error page with the embedded malicious code. This confirmed that the attackers had successfully overridden the default 404 error page across the entire website, embedding their malicious code within.
The bottom line
This campaign underscores the continuous evolution of web skimming techniques. The methods are becoming increasingly sophisticated, making detection and mitigation more daunting. Organizations should remain alert to these evolving threats and proactively seek innovative solutions. One effective mitigation is to regularly monitor and audit website resources, ensuring that no unauthorized modifications have been made. Additionally, employing advanced threat detection systems that go beyond static analysis can help in identifying and neutralizing such covert threats.