SOCRadar® Cyber Intelligence Inc. | A malicious code found: New Magecart Campaign That’s Abusing 404 Pages


Oct 26, 2023
4 Mins Read

A malicious code found: New Magecart Campaign That’s Abusing 404 Pages

Magecart is a term used to describe a type of cyberattack that targets online retailers by injecting malicious code into their websites and stealing customers’ payment information and other personal data. Magecart attacks can have serious consequences for both the businesses and the consumers, such as revenue loss, legal damages, identity theft, and fraud.

How Does Magecart Work?

magecart attack

Magecart attacks typically follow a three-step process:

Gain access to the website: The attackers can either break into the website’s server and place the skimming code there, or they can compromise a third-party vendor that provides services or scripts to the website and infect their code with the skimmer.

Skim sensitive information from a form: The skimming code is usually some form of obfuscated JavaScript that listens for personal information and collects it from the checkout page or other forms where users enter their credentials.

Send information back to their server: The skimming code then sends the stolen information from the users’ browsers to a remote server controlled by the attackers, where they can use it for fraudulent purposes.

What are Some Examples of Magecart Attacks?

Magecart attacks have been around for several years, but they have become more prevalent and sophisticated in recent times. Some of the notable victims of Magecart attacks include:

British Airways: In 2018, Magecart hackers stole the personal and payment data of about 380,000 customers who booked flights on the airline’s website or app. The attackers injected a 22-line script into the website’s payment page that captured the data and sent it to a domain registered by them. The attack resulted in a fine of £183 million for British Airways by the UK’s data protection authority.

Ticketmaster: In 2018, Magecart hackers compromised a third-party chatbot provider called Inbenta that was used by Ticketmaster on its website. The hackers modified Inbenta’s script to include a skimmer that stole the payment data of about 40,000 customers who bought tickets on Ticketmaster’s website. The attack resulted in a fine of £1.25 million for Ticketmaster by the UK’s data protection authority.

Newegg: In 2018, Magecart hackers injected a skimmer into Newegg’s payment page that stole the payment data of about 50 million customers who shopped on the online retailer’s website. The attackers used a domain name that resembled Newegg’s to avoid detection


Segway: In 2022, Magecart hackers hid a skimmer in an image that loaded on Segway’s payment page in users’ browsers. The image was encoded in base64 and had a width and height of zero, making it invisible to the users. The skimmer captured the payment data and sent it to a domain registered by the attackers.

A new campaign observed in the wild: Abuse of 404 Pages

The Akamai Security Intelligence Group detected a Magecart web skimming campaign that is targeting an extensive list of websites, including large organizations in the food and retail industries.

This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that pose unique challenges for detection and mitigation.

You can read more about the campaign on SOCRadar’s lab page.

How to Prevent Magecart Attacks?

Magecart attacks are difficult to detect and prevent because they target client-side code, which runs on users’ browsers and falls outside of common web controls, such as web application firewalls (WAFs). However, there are some steps that website owners can take to reduce the risk of Magecart attacks, such as:

  • Monitor and audit your website’s code regularly for any unauthorized changes or injections.
  • Use SubResource Integrity (SRI) tags to ensure that your website only loads scripts that have not been tampered with.
  • Use Content Security Policy (CSP) headers to restrict what sources your website can load scripts from and what domains your website can communicate with.
  • Use HTTPS encryption for your website and enforce HTTP Strict Transport Security (HSTS) headers to prevent man-in-the-middle attacks.
  • Update your website’s software and plugins frequently and apply security patches as soon as they are available.
  • Vet your third-party vendors carefully and limit their access to your website’s code and data.

Learn more on SOCRadar’s Campaigns Page.