Pay Attention to Magecart While Shopping

Executive summary

The Akamai Security Intelligence Group detected a Magecart web skimming campaign that is targeting an extensive list of websites, including large organizations in the food and retail industries. This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that poses unique challenges for detection and mitigation.

The other two obfuscation techniques showcase the evolving tactics that attackers are using to avoid detection and lengthen the attack chain.

As web skimming attacks become increasingly sophisticated, organizations must remain vigilant and explore advanced approaches to protect against these evolving threats.

A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites. Some of the victims of this campaign are associated with large organizations in the food and retail industries.

According to the evidence we’ve uncovered, this campaign has been active for a couple of weeks, and in some cases, even longer. This campaign managed to surprise us with a high-level concealment technique that we had not previously encountered.

The new campaign

Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using. In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources.

In some instances, the malicious code was inserted into the HTML pages; in other cases, it was concealed within one of the first-party scripts that was loaded as part of the website.