Researchers have identified a dangerous campaign in which attackers insert malicious scripts into pages that display a 404 error. The aim is to steal bank card data from visitors of widely used online stores. The findings come from the Akamai Security Intelligence Group as reported by BleepingComputer, and they highlight a new tactic in Magecart operations that targets popular e-commerce platforms.
The latest campaign focuses on online shops built on Magento and WooCommerce. Hackers compromise these sites, inject web skimmers and rogue modules into the site code, and then leverage 404 error pages to deliver their malicious components. Instead of presenting a normal storefront interface, users encounter a 404 page that helps the attackers hide their unauthorized changes while loading skimming tools onto the visitor’s device.
Once the skimmer is installed and the compromised page is cached or revisited, the user may see a counterfeit form when trying to reload the store. This fake form collects payment details and transmits them directly to the attackers, enabling theft of card data during checkout or payment submission.
ASIG researchers describe the technique as innovative because it repurposes a standard 404 error page to create new opportunities for privacy evasion and stealth. The approach gives attackers several advantages, such as avoiding early detection and blending with normal traffic patterns on the site. This makes it harder for site administrators and monitoring tools to distinguish malicious activity from legitimate requests.
In practice, the injected modules can remain quiet for a period, appearing as legitimate extensions to analytical systems and logging frameworks. The heavy overhead associated with these malicious components is often misclassified as normal traffic by security analytics, allowing the intrusion to persist without triggering alarms for longer than typical Magecart campaigns.
The discovered operations build on prior Magecart methods, expanding the toolkit with a new twist that leverages error-handling pages to manipulate user perception. By presenting a 404 page that looks like a natural part of the store experience, attackers improve the likelihood that visitors will interact with the fraudulent form and disclose payment details without realizing a compromise is occurring.
Industry observers emphasize the importance of rigorous site hygiene and continuous monitoring. Regular audits of all storefront scripts, strict integrity checks, and rapid response plans can help reduce the dwell time of skimmers and limit data exposure. For operators of Magento and WooCommerce stores, the lesson is clear: keep extensions current, review dependencies, and ensure that security layers can differentiate between legitimate and injected code, even on error pages.
Security teams also stress the value of isolated testing environments, content security policies, and client-side protections that can block unauthorized scripts from executing on 404 pages. While no system is perfectly protected, a layered defense significantly lowers the risk of this Magecart variation succeeding against modern e-commerce infrastructure.
In sum, the recent campaign marks a notable evolution in Magecart tactics. By exploiting 404 error pages to deploy skimmers on Magento and WooCommerce stores, attackers gain new ways to stay hidden while harvesting payment details. The cybersecurity community continues to study this pattern, sharing insights to help retailers strengthen defenses and reduce exposure to these evolving threats.