Magecart campaign abuses 404 pages.
By Tim Nodar, CyberWire senior staff writer
Oct 10, 2023

Have you looked at what those 404 pages are up to lately?

Magecart campaign abuses 404 pages.

Researchers at Akamai have discovered a Magecart web skimming campaign that’s been targeting Magento and WooCommerce websites for the past few weeks. 

Starting points of the current Magecart operations.

The researchers note, “Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using. In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources. In some instances, the malicious code was inserted into the HTML pages; in other cases, it was concealed within one of the first-party scripts that was loaded as part of the website.”

Notably, the attackers used the websites’ default 404 error pages to conceal the malicious code.

Why it makes criminal sense to hide malware in a 404 page.

As Erich Kron, security awareness advocate at KnowBe4, pointed out, who actually close-reads 404 error pages.

 “This is a very clever tactic as most website operators and even threat researchers rarely ever look at the default 404 error page which is served up when a link is broken or a web page does not exist. By working itself into the 404 page, the attackers have a good chance of flying below the radar with their modified code, as traditionally these pages are simply ignored by most due to their relative simplicity and the fact they are so common. Even when consumers reach one of these pages, they typically just assume that there is a bad link on the website but are almost never going to relate this to a potential attack. 

“For organizations that use Magecart, it is important to ensure that their 404 error pages have not been modified and that they apply any patches available to counter this threat as soon as possible.”