Akamai Diversity

The Akamai Blog

How Page Integrity Manager Detects Real-World Magecart Attacks

Written by Ziv Eli - Engineering Manager, Security and Maor Hod - Senior Product Manager, Security


In this blog, we will take a look at and break down a recent Magecart attack detected and mitigated by Page Integrity Manager. The impacted customer operates a large international e-commerce business in which one of its websites was compromised with a malicious script.

As we all are aware by now, Magecart is the name given to a number of criminal groups targeting various sizes of online businesses, mainly e-commerce, whose goal is to harvest sensitive end-user information from the browser (e.g., skimming credit card data from buyers at the checkout page). Typically, malicious JavaScript code is injected through one of the site vendors' scripts or through the company's first-party assets -- normally by identifying and leveraging a specific vulnerability that allows the attacker to alter the website resources before the traffic reaches end-user browsers.


The attack we detected was a first-party JavaScript injection, embedded as an inline script tag in the index HTML page. It is unclear exactly how the attackers managed to infiltrate the first-party environment and sneak their skimmer inside the website. However, this can be the result of inside compromises, a compromised development pipeline, or exploiting a vulnerability, such as obtaining remote code execution (RCE) or overwriting a lightly secured file.

All users visiting the website were exposed to this script, but it was only effective on specific pages -- the mobile checkout form and one of the web checkout forms.

The attack used string manipulation techniques to try to evade reflection detection of sensitive data by employing a UTF-16 charcode shift cipher algorithm, swapping letters with their corresponding UTF-16 code representation and a 10-place rotation. As an example, with the shift cipher method described above, the string "a," which has a UTF-16 charcode of 97, would be represented as 107 in the payload sent to the C2 server.


The malicious skimmer code found on the customer website


The attacker's C2 server used a name very similar to the brand name of our compromised customer, with a different top-level domain. This is a common characteristic of this type of attack and a good way to evade the human eye, since the domain looks legitimate.


In the checkout page, when a user submitted the payment form, the injected JavaScript attack attempted to read all of the form inputs (credit card number, cardholder name, cvv, expiry date), apply the cipher algorithm described above, and send it to the C2 server.

Page Integrity Manager observed the described behavior and raised it as a "Suspected Web Skimming" attempt.


Page Integrity Manager: incident report overview


In the incident detection report, we displayed the script behavior chain highlights, which break down the malicious code execution behavior detected by Page Integrity Manager, after running it through a series of classifiers, detectors, and AI models. The events that the AI models found as anomalous were given an "Unusual Activity" tag, indicating they were not expected in this code execution context based on observed historical application data.

Zooming into the summary, it is clear that the anomalous events were of type "Read from sensitive data" and "Sent outbound traffic" -- indicating that there was an anomaly in reading values from sensitive fields (e.g., obtaining the values of the credit card input) and there were unexpected network requests.


Script Behavior Chain: showing highlights from the tree representation of code execution events collected from the page


Furthermore, Page Integrity Manager also provided information about the individual user sessions that were affected by the incident, to better track and understand impact.


Incident report: affected session log


Incident report: affected session over time



The customer immediately received an automated alert with detailed information to understand the suspicious behavior, and the customer's web team double-confirmed that the suspicious activity did not belong to them. This prompted the customer to take action. It applied an Incident Response policy, one of Page Integrity Manager's core features, to protect real-user browser sessions from contacting the attacker's C2 server in real time, which prevented sensitive data from being exfiltrated from end-user browsers. This happened in parallel to the customer updating its app to no longer include the malicious script.


Incident action taken: "Deny outbound traffic"



By having always-on, always-detecting monitoring and alerting, the customer was able to see a zero-day event, and understand it and mitigate it in minutes. Also, creating a policy based on detected suspicious behavior with a single button press relieves customers of delayed updates and heavy security team workloads.

This is a typical example of what Page Integrity Manager can detect, present in a timely manner to a customer, and mitigate quickly.

Magecart continues to be an active threat vector that targets e-commerce companies of all sizes -- some use via generic skimmer code while others employ very targeted and tailored skimmers such as the above example. Further, these attacks are not isolated to third-party hostnames and services -- malicious scripts can impact your real users from both first-party and third-party assets.

This attack detection and mitigation demonstrates once again that in-browser protection needs to be an integral part of any business with a significant online presence.

To learn more, please visit akamai.com/PIM.