Written by Ziv Eli - Engineering Manager, Security and Maor Hod - Senior Product Manager, Security
In this blog, we will take a look at and break down a recent Magecart attack detected and mitigated by Page Integrity Manager. The impacted customer operates a large international e-commerce business in which one of its websites was compromised with a malicious script.
All users visiting the website were exposed to this script, but it was only effective on specific pages -- the mobile checkout form and one of the web checkout forms.
The attack used string manipulation techniques to try to evade reflection detection of sensitive data by employing a UTF-16 charcode shift cipher algorithm, swapping letters with their corresponding UTF-16 code representation and a 10-place rotation. As an example, with the shift cipher method described above, the string "a," which has a UTF-16 charcode of 97, would be represented as 107 in the payload sent to the C2 server.
The malicious skimmer code found on the customer website
The attacker's C2 server used a name very similar to the brand name of our compromised customer, with a different top-level domain. This is a common characteristic of this type of attack and a good way to evade the human eye, since the domain looks legitimate.
Page Integrity Manager observed the described behavior and raised it as a "Suspected Web Skimming" attempt.
Page Integrity Manager: incident report overview
In the incident detection report, we displayed the script behavior chain highlights, which break down the malicious code execution behavior detected by Page Integrity Manager, after running it through a series of classifiers, detectors, and AI models. The events that the AI models found as anomalous were given an "Unusual Activity" tag, indicating they were not expected in this code execution context based on observed historical application data.
Zooming into the summary, it is clear that the anomalous events were of type "Read from sensitive data" and "Sent outbound traffic" -- indicating that there was an anomaly in reading values from sensitive fields (e.g., obtaining the values of the credit card input) and there were unexpected network requests.
Script Behavior Chain: showing highlights from the tree representation of code execution events collected from the page
Furthermore, Page Integrity Manager also provided information about the individual user sessions that were affected by the incident, to better track and understand impact.
Incident report: affected session log
Incident report: affected session over time
The customer immediately received an automated alert with detailed information to understand the suspicious behavior, and the customer's web team double-confirmed that the suspicious activity did not belong to them. This prompted the customer to take action. It applied an Incident Response policy, one of Page Integrity Manager's core features, to protect real-user browser sessions from contacting the attacker's C2 server in real time, which prevented sensitive data from being exfiltrated from end-user browsers. This happened in parallel to the customer updating its app to no longer include the malicious script.
Incident action taken: "Deny outbound traffic"
By having always-on, always-detecting monitoring and alerting, the customer was able to see a zero-day event, and understand it and mitigate it in minutes. Also, creating a policy based on detected suspicious behavior with a single button press relieves customers of delayed updates and heavy security team workloads.
This is a typical example of what Page Integrity Manager can detect, present in a timely manner to a customer, and mitigate quickly.
Magecart continues to be an active threat vector that targets e-commerce companies of all sizes -- some use via generic skimmer code while others employ very targeted and tailored skimmers such as the above example. Further, these attacks are not isolated to third-party hostnames and services -- malicious scripts can impact your real users from both first-party and third-party assets.
This attack detection and mitigation demonstrates once again that in-browser protection needs to be an integral part of any business with a significant online presence.
To learn more, please visit akamai.com/PIM.