A recent investigation by cybersecurity researchers has uncovered an ongoing web skimmer campaign that bears a resemblance to Magecart attacks. The campaign is different because of its unique approach of using compromised e-commerce websites as covert command-and-control servers.
The attackers exploit vulnerable sites to host malicious code while maintaining the facade of legitimacy. This method not only jeopardizes personal information and site visitors’ credit card data. It also facilitates malware distribution across unsuspecting platforms.
Web security firm Akamai, which uncovered the campaign, identified victims across North America, Latin America, and Europe, highlighting the global scale of this threat. The attacker tried evading detection by employing various tactics, including obfuscating the attack using Base64 encoding and mimicking popular third-party services like Google Analytics and Google Tag Manager.
“Attackers employ several evasion techniques during the campaign, including obfuscating [using] Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager,” as reported by Roman Lvovsky, a security researcher at Akamai Security.
The attackers target both legitimate sites, using them as distribution centers for malware, and vulnerable e-commerce websites, where the web skimmers steal sensitive data. Disturbingly, compromised sites unknowingly contribute to the propagation of the malicious code, further widening the impact of the attack.
Akamai’s research reveals that the campaign exploits vulnerabilities in popular digital commerce platforms such as Magento, WooCommerce, WordPress, and Shopify. It demonstrates the ever-expanding vulnerabilities array that threat actors are capitalizing on.
By leveraging the trust established by reputable websites, this technique creates a smokescreen that complicates identifying and mitigating such attacks. The attackers go to great lengths to evade detection, disguising the skimmer code as familiar third-party services and employing JavaScript code snippets as loaders to retrieve a complete attack code from victim websites, minimizing their digital footprint and increasing their chances of remaining undetected.
The skimmer code, concealed within the compromised sites, is designed to intercept and exfiltrate personally identifiable information (PII) and credit card details via encoded strings sent to servers controlled by the attackers. To avoid redundancy and reduce suspicious network traffic, the script flags browsers to ensure information is stolen only once during checkout.
This Magecart-style attack demonstrates evolving sophistication and evasiveness of cybercriminals in their pursuit of illicit gains. E-commerce websites and their visitors must remain vigilant, implementing robust security measures and promptly patching vulnerabilities to mitigate the risk posed by such campaigns.
