In a disconcerting revelation, cybersecurity researchers have recently uncovered an ongoing web skimmer campaign reminiscent of the notorious Magecart attacks. This sophisticated operation targets e-commerce websites running on popular platforms like Magento, WooCommerce, WordPress, and Shopify. Distinct from previous Magecart campaigns, this assault utilizes compromised websites as makeshift command-and-control servers, allowing the attackers to distribute malicious code discreetly while remaining undetected by their victims.
Unveiling the Campaign
Leading web security firm Akamai has identified victims of varying sizes across North America, Latin America, and Europe, indicating the widespread threat posed by this web skimmer attack. Thousands of site visitors find themselves at risk of having their personally identifiable information (PII) and credit card data harvested and sold on the illicit market for profit.
Stealth Tactics and Evasion Techniques
The attackers employ a multitude of evasion techniques throughout the campaign, making it challenging for security systems to detect their activities. By employing tactics such as Base64 obfuscation and masking the attack to mimic popular third-party services like Google Analytics or Google Tag Manager, the perpetrators further enhance their covert operation. This strategic use of deception allows them to exploit vulnerable legitimate websites discreetly.

Leveraging the Reputation of Legitimate Sites
The modus operandi of this web skimmer attack is to breach vulnerable legitimate websites and covertly host the skimmer code within them. By exploiting the good reputation and trust established by these genuine domains, the attackers gain an unfair advantage. Remarkably, some attacks have been ongoing for nearly a month, underscoring the persistence and sophistication of the threat.
Dual Victims of the Attack
As a result of these attacks, two types of victims emerge. First, legitimate sites that have been compromised unwittingly serve as distribution centers for malware, unknowingly infecting other vulnerable websites. Second, the vulnerable e-commerce websites themselves become the primary targets of the skimmers, putting their customers’ sensitive data at risk.
Challenges Faced in Identifying and Combating the Attacks
The attackers capitalize on the established trust that these websites have garnered over time, creating a smokescreen that makes it arduous to identify and respond to the ongoing attacks. Moreover, the campaign employs several other covert methods to evade detection. For instance, the skimmer code is camouflaged as third-party services such as Google Tag Manager or Facebook Pixel, effectively concealing its true intentions. Additionally, JavaScript code snippets serve as loaders, minimizing the footprint and reducing the likelihood of detection by fetching the full attack code from the host victim website.
The Skimmer’s Operation and Exfiltration
The obfuscated skimmer code exists in two different variants and is designed to intercept and exfiltrate PII and credit card details encoded as a string over an HTTP request to a server controlled by the malicious actors. Notably, exfiltration occurs only once for each user during the checkout process. To avoid suspicious network traffic, the script ensures that the user’s information is not stolen twice, increasing the evasiveness of this Magecart-style attack.
The discovery of this sophisticated web skimmer attack targeting popular e-commerce platforms highlights the ever-evolving landscape of cyber threats. With attackers exploiting vulnerable websites as distribution centers for malware and directly targeting e-commerce platforms, the need for robust security measures is paramount. Organizations and website owners must remain vigilant, adopt best practices in cybersecurity, and ensure the implementation of timely security patches and updates to mitigate the risk posed by such attacks.
Original article at: https://thehackernews.com/2023/06/magento-woocommerce-wordpress-and.html