Cybersecurity platform Akamai’s experts have uncovered a novel and fairly inventive method by which hackers were concealing credit card skimmers on e-commerce websites.
Typically, hackers steal sensitive payment data (credit card numbers, complete names, expiration dates, etc.) during the checkout process by hiding malicious code somewhere on the website.
But in this instance, Akamai discovered the malicious code buried in a 404 page of a website.
A 404 page is displayed when a visitor tries to see a website that doesn’t exist, either because the link is broken, the page was moved, or for similar reasons.
Virtually every website on the internet has one. According to Akamai, several websites (mainly those on Magento and WooCommerce sites) have been penetrated with card-stealing malware known as Magecart, which is something that has never been seen before.
These pages include ones that belong to “renowned organizations” in the food and retail industries.
“This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns. The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion,” the report from Akamai stated.
Even Akamai’s researchers first missed the malware, believing that the skimmer was dormant or that the hackers had misconfigured it.
“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code,” according to the investigators.
“These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it,” the assessment stated further.
Two further campaigns were discovered by Akamai’s researchers, one in which the attackers attempted to conceal the code in the HTML image tag’s “onerror” property, and the other in which an image binary was modified to seem to be the Meta Pixel code snippet.
This disturbing discovery comes just a week after the ransomware attack on Motel One, where Europe’s leading hotel chain found out about hackers accessing its customer data.
Motel One, which is a low-budget German hotel chain with a prominent presence in Europe and the United States, became the target of a ‘hacker attack’ after unknown perpetrators infiltrated its network with the intent of launching a ransomware attack.
The attackers reportedly accessed customer data. According to Motel One, the data included address information and the details of 150 credit cards.
Motel One was reportedly listed on the dark web leak site of the ALPHV ransomware gang. The group claimed to have stolen several terabytes of customer data from the hotel chain, including employee information.
Motel One, however, claimed that its business operations were “never at risk” due to the incident.
MGM Resorts, which operates hotels and casinos on the Las Vegas Strip, was also reportedly targeted by Scattered Spider, a hacking group believed to be a subgroup of the ALPHV ransomware gang, in 2023.