New web skimmer attack: Akamai reveals threat to e-commerce sites

Akamai, a leading cybersecurity company, has recently detected a sophisticated Magecart-style web skimming campaign targeting the theft of Personally Identifiable Information (PII) and credit card data from e-commerce portals. During the operation, attackers use a combination of evasive strategies including Base64 obfuscation and host masquerading to mimic familiar third-party services such as Google Analytics or Google Tag Manager. These types of attacks, also called e-skimming or Magecart, began in 2016, but in recent years their intensity has grown to the point where they pose a threat to individuals and companies.

Methods of attack and techniques of evasion

According to Akamai, the perpetrators of these intrusions plant these digital skimmers on previously compromised legitimate sites, inserting malicious scripts with the intent to steal all the details entered in the online payment sections. The particularity of this recent campaign is the use of vulnerable legitimate websites, compromised to facilitate the concealment of attacks on other targeted e-commerce portals. They first identify vulnerable legitimate sites, then use them as command and control (C2) servers to launch their attacks and host the skimmer code. Next, they inject pieces of JavaScript code into exposed e-commerce portals (Magento, WooCommerce, WordPress and Shopify) by fetching the malicious code from the previously compromised sites.

Confirmation of risk and misuse of personal data

The approach of leveraging reputable sites to spread digital skimmers makes it easier for attackers to evade detection systems. For data exfiltration, they apply a Base64 encoding layer to confuse the transmission and minimize the possibility of discovery. Once the information is stolen, the data is sent to the C2 server through an HTTP request, creating an IMG tag element. The detected victims are mainly in North America, Latin America and Europe, with some sites handling hundreds of thousands of monthly visitors, exposing them to the risk of theft, misuse and sale of personal data and credit cards.

Advice and prevention for improved safety

To limit the risks of these attacks, the researchers recommend the implementation of multi-factor authentication for the administrative accounts of e-commerce portals and the use of reliable credit circuits, using secure and tested payment methods with customers . For customers, it is also advisable to keep antivirus, operating systems, browsers and related plugins up to date, and to set charge limits on their credit cards. Finally, Akamai stresses the importance of addressing the threat of Magecart attacks, as they can cause significant damage to an organization's reputation, as well as direct data loss.