Magecart hacker groups have recently launched a covert campaign, targeting popular eCommerce platforms like Magento and WooCommerce. This wave of attacks has ensnared several victims, including major corporations in the food and retail industry.
Magecart attacks are a form of cyber assault where hacker groups utilize online skimming techniques to steal personal data from websites. This often includes customer details and credit card information from platforms that facilitate online payments.
The name “Magecart” stems from their original target—the Magento platform, a key player in providing checkout and shopping cart functionality for retailer sites.
Magecart Cyberattack Campaign Explained
In this recent campaign, the attackers have employed a strange approach. Instead of exploiting vulnerabilities in websites or compromising third-party services, they have directly injected malicious code into the victim’s resources.
This code conceals itself within HTML pages or the website’s first-party scripts. This three-part attack structure—comprising a loader, the main malicious code, and data exfiltration—ensures that the full attack flow is only activated on specifically targeted pages. This makes detection by security tools notably more challenging.
The campaign unfolds in three distinct variations. The first variation includes attackers planting encoded JavaScript loaders on a prominent website. A malformed HTML image tag, laced with an obfuscated Base64-encoded malicious loader, allowed the skimmer to bypass standard security protocols. Once activated, a WebSocket channel is established, enabling communication between the browser and the attacker’s command and control server.
In the next variation, the variant introduced an inline script that mimicked the Facebook Meta Pixel tracking service, but with additional malicious lines. The skimmer retrieved a PNG image from the site’s directory, which had been manipulated to contain malicious code.
In the third variation, the execution of the loader triggered a fetch request to a seemingly harmless path labeled ‘icons’. However, this path did not exist on the website, resulting in a “404 Not Found” error. Closer examination revealed a concealed comment within the returned 404 HTML, containing the string “COOKIE_ANNOT” alongside a lengthy Base64-encoded string. Decoding this string revealed the complete obfuscated JavaScript attack code.
The sage of Magecart cyberattack campaign
Magecart attacks pose a significant threat to online businesses, aiming to pilfer sensitive information, particularly payment card data. Operating within the browser, this malicious code often hides within legitimate code on the retailer’s website, evading conventional security measures.
The impacts of Magecart attacks are far-reaching, encompassing theft of personal information, revenue loss, further infections, and legal and compliance ramifications. These attacks are persistent, with one in five previously infected eCommerce stores being re-infected within days.
This recent Magecart cyberattack campaign highlights the increasing sophistication of web skimming techniques, making detection and mitigation more challenging for security teams, and hampering sensitive data from the organization as well as its users.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
