www.akamai.com
Open in
urlscan Pro
2a02:26f0:3500:58b::b63
Public Scan
URL:
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains
Submission: On June 04 via api from IN — Scanned from DE
Submission: On June 04 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
<form role="combobox" aria-expanded="false" aria-haspopup="listbox" aria-labelledby="downshift-0-label">
<div class="sui-search-box">
<div class="sui-search-box__wrapper"><input aria-autocomplete="list" aria-labelledby="downshift-0-label" autocomplete="off" id="downshift-0-input" placeholder="Search Akamai.com..." class="sui-search-box__text-input "
aria-label="Search Akamai.com..." value=""><label></label></div>
</div>
</form><form role="combobox" aria-expanded="false" aria-haspopup="listbox" aria-labelledby="downshift-1-label">
<div class="sui-search-box">
<div class="sui-search-box__wrapper"><input aria-autocomplete="list" aria-labelledby="downshift-1-label" autocomplete="off" id="downshift-1-input" placeholder="Search" class="sui-search-box__text-input " aria-label="Search"
value=""><label></label></div>
</div>
</form>Text Content
Twitter LinkedIn Email
Close
Skip to main content
+49-8994006308
+49-8994006308
en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어
Login
Try Akamai
Under Attack?
Products & Solutions
* Cloud Computing
* Compute
* Containers
* Storage
* Databases
* Networking
* Developer Tools
* Security
* App and API Security
* Zero Trust Security
* DDoS Protection
* Abuse and Fraud Protection
* Content Delivery (CDN)
* App and API Performance
* Media Delivery
* Edge Compute
* Solutions by Industry
* Ecommerce
* Financial Services
* Network Operator
* Public Sector
* Media
* All Industries
* All Products
* Global Services
Back
Why Akamai
* Our Platform
* About Us
Back
Resources
* Resource Library
* Infection Monkey
* Videos
* Customer Stories
* Ebooks
* Product Briefs
* Reference Architectures
* Webinars
* White Papers
* Security Threat Research
* Connect
* Blog
* Events
* Learn
* Learning Hub
* Developer Hub
* Internet Visualizations
* State of the Internet
* Glossary
* What Is a CDN?
* What Is a DDoS Attack?
* What Is Zero Trust Security?
* What Is Microsegmentation?
Back
Contact Us
* Contact Sales
* Customer Support
* Get in Touch
* Akamai Partners
Back
✕
Back
1. Blog
2. Security Research
3. New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others
NEW MAGECART-STYLE CAMPAIGN ABUSING LEGITIMATE WEBSITES TO ATTACK OTHERS
Written by
Roman Lvovsky
June 01, 2023
Written by
Roman Lvovsky
Roman Lvovsky is a Security Researcher with extensive experience in client-side
threats, browser internals, and JavaScript attack vectors. He is a member of
Akamai's In-Browser Protection Research Team and focuses his research on various
client-side threats, such as web skimming and Magecart attacks. He has a solid
background in software engineering, with a specialization in JavaScript and web
development.
Share
Editorial and additional commentary by Lance Rhodes and Emily Lyons
EXECUTIVE SUMMARY
* Akamai researchers have discovered and analyzed a new ongoing Magecart-style
web skimmer campaign, designed to steal personally identifiable information
(PII) and credit card information from digital commerce websites.
* Victims have been identified in North America, Latin America, and Europe, and
they range in size. Some victims are estimated to handle hundreds of
thousands of visitors per month, potentially putting tens of thousands of
shoppers’ PII and credit cards at risk of being stolen and abused or sold on
the dark web.
* Attackers employ a number of evasion techniques during the campaign,
including obfuscating Base64 and masking the attack to resemble popular
third-party services, such as Google Analytics or Google Tag Manager.
* Notably, attackers “hijack” legitimate websites to act as makeshift command
and control (C2) servers. These “host victims” act as distribution centers
for malicious code, unbeknownst to the victim, effectively hiding the attack
behind a legitimate domain.
* This attack included the exploitation of Magento, WooCommerce, WordPress, and
Shopify, demonstrating the growing variety of vulnerabilities and abusable
digital commerce platforms.
* These types of web skimming attacks are becoming increasingly evasive and can
be difficult to detect, so security practitioners are advised to consider
using tools and technologies that provide behavioral and anomaly detection of
in-browser activity.
Jump to Recommendations
INTRODUCTION
A new Magecart-style skimmer has been making waves in recent weeks. The key
distinguishing characteristic of this latest campaign is its utilization of
compromised legitimate websites to facilitate the concealment of attacks on
other targeted websites behind their genuine domains.
The primary objective of a Magecart attack is to steal PII and credit card
details from the checkout pages of digital commerce websites. Traditionally,
this type of attack was primarily executed on the Magento digital commerce
platform; however, in this campaign, Akamai researchers were able to identify
exploitation of Magento, WooCommerce, WordPress, and Shopify, demonstrating the
growing variety of vulnerabilities and abusable platforms that are available for
attackers.
Generally, these attacks cannot be detected by popular methods of web security,
such as web application firewalls (WAFs), and are executed on the client side.
This may result in Magecart attacks remaining unnoticed for long periods.
Over the past few weeks, we have identified an active, ongoing campaign,
leveraging sophisticated infrastructure and capabilities to deliver
Magecart-style web skimming attacks, and we have uncovered numerous digital
commerce websites that are victims of this campaign. It is reasonable to assume
that there are additional legitimate websites that have been exploited as part
of this extensive campaign.
A LARGE-SCALE, LONG-TERM ATTACK
Unsurprisingly, this campaign primarily targets commerce organizations. The
scale of the attack, however, is notable. Some victim organizations see hundreds
of thousands of visitors per month. This may result in thousands, even tens of
thousands, of victims of stolen credit card data and PII.
For many of the victims, the attack has been going unnoticed for close to a
month, increasing the potential for damage. Additionally, Akamai researchers are
observing the campaign’s effects on organizations in the United States, the
United Kingdom, Brazil, Spain, Australia, Estonia, and Peru.
Web skimming attacks can be very harmful for digital commerce organizations. The
loss of PII and credit card data can be damaging to the organizations’
reputation among other repercussions. Many of the most high-profile Magecart
attacks were undetected for months, if not years. Of the 9,290 digital commerce
domains that underwent Magecart attacks in 2022, there were 2,468 that remained
actively infected at the close of that year, making it a formidable threat for
commerce organizations.
THE HACK BEFORE THE HACK — SETTING UP THE ATTACK INFRASTRUCTURE
One of the most notable parts of the campaign is the way the attackers set up
their infrastructure to conduct the web skimming campaign. Before the campaign
can start in earnest, the attackers will seek vulnerable websites to act as
“hosts” for the malicious code that is used later on to create the web skimming
attack.
Rather than using the attackers’ own C2 server to host malicious code, which may
be flagged as a malicious domain, attackers hack into (using vulnerabilities or
any other means at their disposal) a vulnerable, legitimate site, such as a
small or medium-sized retail website, and stash their code within it. In this
way, the attackers create a seemingly healthy host for their malicious code, and
can deliver it to any victim they choose.
In essence, this campaign creates two sets of victims.
1. Host victims: These are legitimate websites that are hijacked for the
purpose of hosting the malicious code used in the attack. The attackers will
then use these sites to deliver their code during an attack. Since these
sites normally operate as legitimate businesses, they are less likely to
raise suspicion when connecting to a victim. These sites then act as part of
the infrastructure for the attack, essentially behaving as an
attacker-controlled server. The intention is to conceal the malicious
activity behind a domain with a good reputation.
2. Web skimming victims: These are vulnerable commerce websites that are
targeted with a Magecart-style web skimming attack by the attackers. Instead
of directly injecting the attack code into the website's resources, the
attackers employ small JavaScript code snippets as loaders to fetch the full
attack code from the host victim website, allowing them to more effectively
conceal the majority of the malicious code used in the attack.
Although it is unclear how these sites are being breached, based on our recent
research from similar, previous campaigns, the attackers will usually look for
vulnerabilities in the targeted websites’ digital commerce platform (such as
Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party
services used by the website.
Akamai researchers observed a small number of websites serving as the host
victims. All of these websites appear to be commerce websites. In some cases,
the exploited host websites appear to be abused twice. First, they are used as
hosts for malicious code, as previously mentioned. Second, they themselves are
subjected to a Magecart-style web skimming attack, enabling the theft of user
information. Not only were they compromised and subjected to data theft by the
injected code, but they also unwittingly served as a vehicle for spreading the
skimmer's malicious activities to other vulnerable websites.
TAKING ADVANTAGE OF ESTABLISHED REPUTATIONS AND INHERENT TRUST
During our investigation, we’ve also uncovered some sites that we believe might
be fake, possibly created by the attacker. These seem to operate as phishing
websites, mimicking small retail stores, using domains that closely resemble
those of the original legitimate sites.
The practice of using exploited domains from legitimate websites provides the
attacker with several advantages when it comes to concealing their malicious
activities. By hiding behind domains that have established reputations and
positive associations, the skimmer creates a smokescreen that makes it
increasingly difficult to identify and respond to the attack.
One of the primary advantages of utilizing legitimate website domains is the
inherent trust that these domains have built over time. Security services and
domain scoring systems typically assign higher trust levels to domains with a
positive track record and a history of legitimate use. As a result, malicious
activities conducted under these domains have an increased chance of going
undetected or being treated as benign by automated security systems.
We are unable to disclose the domains of the legitimate websites that were
exploited and used to host attacks on other targeted websites since disclosure
requires the organizations’ confirmation and cooperation.
HIDING IN PLAIN SIGHT — LOADING THE MALICIOUS CODE ONTO VICTIM WEBSITES
Once the infrastructure is set, attackers will look for targets with vulnerabile
digital commerce platforms or vulnerable third-party services in order to inject
the web skimmer code. The attacker employs a clever technique by injecting an
inline (meaning that script that is embedded inside HTML, not loaded from an
external file) JavaScript code snippet into the pages of exploited websites.
This snippet serves as a loader, fetching the complete malicious code from the
host websites that were set in the earlier stage.
Notably, the structure of the injected snippet is intentionally designed to
resemble popular third-party services such as Google Tag Manager or Facebook
Pixel. This approach has gained popularity among web skimming campaigns in
recent years, as it helps the malicious code blend in seamlessly, disguising its
true intentions.
Furthermore, to obfuscate the URL of the exploited websites hosting the full
attack code, the skimmer utilizes Base64 encoding (Figure 1). This technique has
become widely favored among skimmers as it effectively masks the origins and
purpose of the code.
Fig. 1: Malicious JavaScript code snippet that impersonates a Google Analytics
snippet and is used as a loader of the attack
In doing this, the attacker employs three methods of avoiding detection.
1. Obfuscate the domain used in the attack
2. Cleverly mask the loader as a legitimate third-party script or vendor
3. Reduce the amount of malicious code that needs to be injected into the page
by pulling the majority of the code from other sources, which greatly
reduces the chance that the code will be discovered
Once the loader is injected, any user who attempts to check out from the web
skimming victim website will have their personal details and credit card
information stolen and sent out to the attackers’ C2 server.
ANALYZING THE CODE — OBFUSCATED MAGECART ATTACK
During our examination, we identified two distinct variations of the skimmer
code.
The initial variation exhibited a high level of obfuscation, resulting in
increased complexity when we attempted to decipher its flow and logical
structure. The attacker employs obfuscation as a tactic to interfere with
debugging and research, deliberately making it challenging to comprehend the
precise sequence of the attack.
Obfuscating malicious code is a widely adopted practice among diverse web
skimming attacks, and it has gained increased popularity across numerous
campaigns in recent years (Figure 2).
Fig. 2: Malicious code — variation 1
After decoding the Base64 strings embedded within the obfuscated code, we
discovered a list of Cascading Style Sheets (CSS) selectors. These selector
names explicitly indicated that the skimmer targeted input fields responsible
for capturing PII and credit card details.
The presence of these CSS selectors within the decoded code provides absolute
evidence of the skimmer's malicious intent. By specifically targeting input
fields used for gathering sensitive user data, the skimmer's objectives become
clear: to intercept and exfiltrate PII and credit card details for illegal
purposes. It also hints at a level of intelligence gathering; for these input
fields to match, the attacker needs to “tailor” the code to each victim (Figure
3).
Fig. 3: Decoded sensitive field names targeted by the skimmer
The second variation of the malicious code discovered in this campaign exhibited
less obfuscation, rendering it more comprehensible and easier to analyze. Like
the first variation, the strings that could potentially expose the code's
intentions were Base64 encoded, allowing us to readily decipher their meaning
(Figure 4).
What makes the second variation interesting is the presence of certain
indicators within the code; these indicators served as valuable clues, aiding us
in the identification of additional victim websites and instances associated
with this campaign.
Fig. 4: Malicious code — variation 2
EXFILTRATING THE STOLEN DATA
The process of exfiltrating the stolen data is executed through a
straightforward HTTP request, which is initiated by creating an IMG tag within
the skimmer code. The stolen data is then appended to the request as query
parameters, encoded as a Base64 string (Figure 5).
To obfuscate the transmitted data, the skimmer encodes it as a Base64 string.
This encoding technique provides a layer of disguise, making it more challenging
for security systems and network monitoring tools to identify that sensitive
information is being exfiltrated. Once the Base64-encoded data reaches the
attacker's server, it can be easily decoded to its original format, exposing the
stolen PII and credit card details.
Exfiltration will only happen once for each user going through checkout. Once a
user’s information is stolen, the script will flag the browser to ensure it
doesn’t steal the information twice (to reduce suspicious network traffic). This
further increases the evasiveness of this Magecart-style attack.
Fig. 5: Data exfiltration using IMG tag, which initiates an HTTP request to the
skimmer’s C2 with Base64 encoded query parameters
SECURITY RECOMMENDATIONS AND MITIGATIONS
To plant a web skimmer, attackers will need to get initial access to the server
either by exploiting a vulnerability or by abusing one of the existing
third-party scripts. To prevent this initial access to the server, security
practitioners are advised to keep up with the most recent patches and complement
them by implementing a WAF.
However, the complexity, deployment, agility, and distribution of current web
application environments — and the various methods attackers can use to install
web skimmers — require more dedicated security solutions, which can provide
visibility into the behavior of scripts running within the browser and offer
defense against client-side attacks.
An appropriate solution must move closer to where the actual attack on the
clients occurs. It should be able to successfully identify the attempted reads
from sensitive input fields and the exfiltration of data (in our testing we
employed Akamai Page Integrity Manager). We recommend that these events are
properly collected in order to facilitate fast and effective mitigation.
CONCLUSION
This campaign serves as a reminder that web skimming remains a critical security
threat, with malicious actors constantly evolving their tactics to conceal their
activities and make detection more challenging. The new script security
requirements outlined in PCI DSS v4.0 also echo this statement, now requiring
any organization that processes payment cards online to have mechanisms in place
to detect and respond to these types of attacks.
The primary solution for effectively combating web skimming lies in the
utilization of tools and technologies that provide behavioral and anomaly
detection, such as Akamai Page Integrity Manager. Traditional static analysis
tools prove inadequate in countering web skimmers, as they continually modify
their methods and employ increasingly sophisticated techniques that can evade
static analysis.
We can expect to encounter similar campaigns intermittently, as this
cat-and-mouse game is likely to persist. As the battle between defenders and
attackers in the realm of web skimming continues, it is crucial to stay
proactive and invest in innovative security measures. By adopting advanced
detection technologies that adapt to changing attack vectors, organizations can
better safeguard their online platforms, protect user data, and maintain the
trust of their customers. Continued research, collaboration, and vigilance are
essential in the ongoing fight against web skimming threats.
The Akamai Security Intelligence Group will continue to monitor this activity
and provide valuable insights to our customers and the community at large. For
more real-time information on vulnerabilities and other breaking security
research, follow us on Twitter.
See more research
IOCS
Exfiltration domains:
byvlsa[.]com
chatwareopenalgroup[.]net
--------------------------------------------------------------------------------
* Cyber Security
* Research
* Threat Intelligence
* Security Research
* Page Integrity Manager
Share
--------------------------------------------------------------------------------
Written by
Roman Lvovsky
June 01, 2023
Written by
Roman Lvovsky
Roman Lvovsky is a Security Researcher with extensive experience in client-side
threats, browser internals, and JavaScript attack vectors. He is a member of
Akamai's In-Browser Protection Research Team and focuses his research on various
client-side threats, such as web skimming and Magecart attacks. He has a solid
background in software engineering, with a specialization in JavaScript and web
development.
RELATED BLOG POSTS
Security Research
FROM ONE VULNERABILITY TO ANOTHER: OUTLOOK PATCH ANALYSIS REVEALS IMPORTANT FLAW
IN WINDOWS API
Akamai researchers explore a new critical vulnerability in Windows that could
lead to a bypass of CVE-2023-23397’s mitigation.
Read more
Cyber Security
EXPLORING THREE REMOTE CODE EXECUTION VULNERABILITIES IN RPC RUNTIME
Akamai researchers explore three new vulnerabilities in Windows RPC runtime that
can be exploited and lead to remote code execution.
Read more
Rate the helpfulness of this page
Twitter Facebook YouTube LinkedIn
SOLUTIONS
* Cloud Computing
* Security
* Content Delivery (CDN)
COMPANY
* History
* Facts and Figures
* Leadership
* Board of Directors
* Investor Relations
* Environmental, Social, and Governance
* Ethics
* Locations
NEWSROOM
* Press Releases
* In the News
* Awards
* Media Resources
CAREERS
* Working at Akamai
* Students and Recent Grads
* Workplace Diversity
* Search Jobs
* Careers Blog
LEGAL & COMPLIANCE
* Legal
* Information Security Compliance
* Privacy Trust Center
* Cookie Settings
--------------------------------------------------------------------------------
©2023 Akamai Technologies
* en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어
* EMEA Legal Notices
* Service Status
YOUR COOKIE CHOICES FOR THIS WEBSITE
We use cookies to ensure the fast reliable and secure operation of this website,
to improve your website experience, to enable certain social media interactions
and to manage your cookie choices. Some cookies process personal data. By
agreeing to the placement of the cookies you also agree to the related personal
data processing activities, where applicable. Click “Manage Preferences” to make
individual choices and get details on the cookies in use and the processing
activities in the Cookie Details section, click “Accept Cookies” to agree to the
storing of all cookies except for strictly necessary cookies and the data
processing activities or click “Reject Cookies” to reject all cookies except for
strictly necessary cookies. You can withdraw your consent at any time by
clicking on the Cookie Icon that appears at the lower left corner when scrolling
the website. For additional information relating to your privacy take a look at
ourPrivacy Statement.
Reject Cookies
Accept CookiesManage Preferences