Magecart attackers have launched a new covert campaign targeting eCommerce platforms, primarily Magento and WooCommerce. Several victims, some linked to major food and retail organizations, have been ensnared by this sophisticated operation. Unlike previous Magecart attacks, this campaign exhibits advanced evasion techniques that have left many security experts puzzled.
Diving into details
Magecart attacks usually exploit vulnerabilities in websites or infect third-party services.
- In this recent campaign, the malicious code was directly injected into the victim's resources, either within their HTML pages or concealed within the website's first-party scripts.
- This campaign's attack infrastructure is structured in three segments: a loader, the main malicious attack code, and data exfiltration.
- Such triad approach masks the full attack flow, activating it only on specific targeted pages, making detection by security tools or external scanners much more challenging.
The three-faced campaign
Variation One:
- The researchers identified encoded JavaScript loaders on a prominent website.
- The attackers had injected a malformed HTML image tag embedded with an obfuscated Base64-encoded malicious loader, allowing the skimmer to sidestep usual security protocols.
- Once it's activated, a WebSocket channel is initiated, establishing a bridge for communication between the browser and the attacker's command and control server.
Variation Two:
- This variation introduced an inline script that resembles the Facebook Meta Pixel tracking service but with additional malicious lines.
- The skimmer fetches a PNG image from the site's directory that has been tampered with to contain malicious code.
Variation Three:
- Upon execution of the third variation's loader, the attack initiates a fetch request to a seemingly innocuous path labeled 'icons'. However, this path doesn't exist on the website, resulting in a "404 Not Found" error.
- Closer inspection revealed that embedded within the returned 404 HTML was a concealed comment containing the string "COOKIE_ANNOT". Adjacent to this string was a long Base64-encoded string. When decoded, this string revealed itself as the entire obfuscated JavaScript attack code.
- Further testing revealed that any requests to non-existent paths returned the same manipulated 404 error page with the embedded malicious code. This confirmed that the attackers had successfully overridden the default 404 error page across the entire website, embedding their malicious code within.
The bottom line
This campaign underscores the continuous evolution of web skimming techniques. The methods are becoming increasingly sophisticated, making detection and mitigation more daunting. Organizations should remain alert to these evolving threats and proactively seek innovative solutions. One effective mitigation is to regularly monitor and audit website resources, ensuring that no unauthorized modifications have been made. Additionally, employing advanced threat detection systems that go beyond static analysis can help in identifying and neutralizing such covert threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e2ba_shutterstock_1920771149.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5655_shutterstock_2111740181.jpg)
