The malware group it manages Magecart surprises security experts once again.
A report this week compiled by Roman Lvovskyan Israeli security researcher at Akamai Technologybrought to light three new obfuscation techniques being adopted by cybercriminals.
Magecart is a malicious agent that has been operating for years infecting various e-commerce sites, especially those they use Magento e WooCommerce. Likewise, he made headlines last September, when he became the protagonist of a massive campaign in the United States.
The malware uses the loading phase to directly insert its code into web server pages. Subsequent phases are used to steal data, such as credit card numbers e password of customers.
One of the techniques is new and has never been seen before, at least according to Lvovsky who candidly stated how “It really surprised us“.
Il loader of the first phase is masked by a portion of code Meta Pixel, a legitimate Facebook tracking system and widely used advertising tracking service. The piece of code, by its nature, easily evades malware scanning tools.
How Magecart exploits 404 error pages to infect as many computers as possible
What makes this technique dangerous is that the subsequent steps seem to recall the 404 error page. Although this code is frustrating and often seen by web visitors when there are missing pages, this page contains a hidden piece of malware. “Initially there was confusion and we wondered if the skimmer was no longer active on the victim websites we found” wrote Lvovsky.
An in-depth search into the 404 code revealed that the actual attack processes were hidden in a comment string. What Lvovsky discovered was that the attacker had alerted him default script of the 404 error page so that any website error would invoke the infected page. This strategy denotes a certain cunning on the part of Magecart’s managers.
One of the reasons for this malware’s resistance is that its operators continually evolve their attack methods, becoming more sophisticated and dangerous as they find better evasion methods. In short, for surfers, even a 404 error page can now be very dangerous.