New Magecart Campaign Modifies 404 Error Page to Steal Visitor Information

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A novel web skimming campaign designed to steal personally identified (PII) and credit card information of ecommerce website visitors has been discovered by researchers.

Discovered by Akamai Security Intelligence Group researchers , the campaign is primarily targeted at Magento and WooCommerce websites, including online sites of some large organizations in the food and retail sectors.

This Magecart-style skimming campaign hides malicious code inside the default 404 error pages to avoid detection and successfully deploy malware to steal financial information. “This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns,” Akamai report revealed.

The campaign follows the usual Magecart attack technique, exploiting vulnerabilities in the targeted host’s digital ecommerce website or the third-party services used by it to inject the skimming malware code.

The campaign is divided into three main parts: loader, malicious attack code, and data exfiltration. ‘’The purpose of separating the attack into three parts is to conceal the attack in a way that makes it more challenging to detect,’’ the report continued.

While analyzing the campaign, Akami found three variations in this attack. Two were very similar with only a slight difference in loader part. The loader component either disguised itself as a Meta Pixel code snippet or hid inside an existing inline script present on the targeted website.

Upon execution, this loader skimmer sends a fetch request to a relative path called ‘icons,’ which does not exist. Thus, leading the visitor to a ‘404 Not Found’ error page.

Further investigation of the 404 page revealed a hidden comment containing the string “COOKIE_ANNOT.” Next to it, was a long Base64-encoded string containing the entire obfuscated JavaScript attack code. This is used to execute the attack and steal sensitive information uploaded by the user.

‘’We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code. These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it,” Akamai revealed.

The attackers also deployed common exfiltration techniques of injecting fake forms to steal personal and credit card information.

With the growing sophistication in web skimming attacks, it’s essential to remain vigilant while filling personal details on websites.

Air Europa Cyberattack Exposes Customer Payment Card Information

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Spain’s third largest airline, Air Europa in an email warned customers about the theft of their payment card information, following a recent data breach incident.

‘’In accordance with this commitment, we inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data,’’ the email said. This email was sent both in Spanish and English and was shared by impacted customers on to their X (formerly Twitter) accounts.

The payment information revealed in the breach, included card numbers, expiration date, and the three-digit CVV (Card Verification Value) code. The Mallorca-based airline urged customers to cancel the payment system (credit/debit card) used for booking on its website.

It warned customers about the possible attempts of fraud and card spoofing. Thus, advising them to not share their personal information, pin, or any other sensitive data over phone, email, or messages and to be vigilant about any fraudulent transaction involving their bank cards.

The email did not reveal any details about the incident, like the date of breach, number of impacted customers, or when was it first detected by Air Europa. However, the airline did state that no other personal information was accessed by the threat actors, and it had taken the necessary remediation measures to prevent similar security breaches in the future.

It had secured its systems and informed the relevant authorities, like (Spanish Data Protection Agency (AEPD), The Spanish National Cybersecurity Institute (INCIBE), banks, etc.). ‘’From the first moment we have put all our resources to contain the incident, adopting all the necessary technical and organizational measures,’’ the email said.

This is not the first time that the airline has suffered such a mishap. In 2021, it was fined €600,000 by the Spanish Data Protection agency for failing to notify the authorities and customers about a data breach involving customers’ financial and contact information.