A new Magecart card skimming campaign has been discovered [3], which exploits 404 error pages on online retailer websites [1] [3]. This campaign specifically targets Magento and WooCommerce sites [1] [2], with a focus on large organizations in the food and retail sectors [4].


The attackers manipulate the default 404 error page to hide and execute their code [3], allowing them to steal customers’ credit card data. They achieve this by concealing code in the HTML image tag’s “onerror” and an image binary [1], making it appear as the Meta Pixel code snippet [1]. By altering the default error page [1] [3] [4] [5], the attackers can display a fake form for visitors to fill out with sensitive details [1], such as credit card numbers [1]. Once the information is shared [1], victims receive a fake “session timeout” error while the data is sent to the hackers via an image request URL [1]. This method helps the attackers avoid detection by network monitoring tools [1].

The campaign also includes other variations that obfuscate the skimmer code in malformed HTML image tags [5]. These techniques aim to circumvent security measures and make it more challenging to detect the attack [5]. Security researcher Akamai identified obfuscated JavaScript attack code by discovering a regex match in the loader for the string “COOKIE_ANNOT” in the HTML of the 404 page. This finding highlights the constant evolution and increasing sophistication of web skimming techniques [1], making detection and mitigation more difficult.


The discovery of this Magecart card skimming campaign highlights the need for organizations, especially those using Magento and WooCommerce, to remain vigilant and implement robust security measures [4]. The attackers’ ability to exploit 404 error pages and manipulate code demonstrates the constant evolution and increasing sophistication of cybercriminal tactics. Detecting and mitigating these attacks becomes more challenging as techniques become more advanced. It is crucial for organizations to stay updated on the latest security measures and remain proactive in protecting against these evolving tactics employed by cybercriminals.


[1] https://www.thehindu.com/sci-tech/technology/internet/hackers-fake404-error-page-steal-sensitive-data/article67403068.ece
[2] https://thehackernews.com/2023/10/new-magecart-campaign-alters-404-error.html
[3] https://cybermaterial.com/october-10-2023-cyber-briefing/
[4] https://cybersecurity-see.com/magecart-hackers-conceal-themselves-within-404-error-pages/
[5] https://patabook.com/technology/2023/10/10/new-magecart-campaign-alters-404-error-pages-to-steal-shoppers-credit-cards/