Beware 404 Error Pages – The New Target of Card Skimming

Another day, another new strategy out there causing a headache for e-commerce merchants. The latest culprit? A new card skimming campaign targeting the 404 pages of retailer’s websites, aimed at stealing credit card information from unsuspecting customers who think they’re on a legitimate page.

While card-skimming techniques are not new, this particular stream of malicious code being used in this way is. Merchants using Magento or WooCommerce sites are at high risk right now, although other food and retail merchants have also become victim to this attack.

Instead of seeing the 404 error page, the customer sees what looks to be a legitimate web page, with a form where they would usually enter their sensitive information like credit card details. Once entered, users see a fake “session timeout” error. What also makes this particular attack tricky is that it is hard to identify by cybersecurity tools. This article from Bleeping Computer shows the code and how it can be hidden within already existing scripts, or disgused as a Meta Pixel code snippet:

But let’s back up a little bit and go back to the basics – how does all of this even work?

What is Card Skimming?

Card skimming, often associated with the Magecart group, involves malicious actors inserting snippets of code into a website’s payment or checkout pages. These code snippets are designed to capture sensitive information, such as credit card numbers and personal data, entered by unsuspecting visitors.

Typically, when an online shopper submits their payment information, the skimming script intercepts the data and sends it to a remote server controlled by the attackers. The victim remains unaware that their information has been compromised. Such attacks have been the focus of cybersecurity experts for years, with numerous high-profile data breaches attributed to Magecart and similar groups.

The 404 Page Twist

Traditionally, card skimming attacks have targeted shopping carts, product pages, and payment gateways. However, cybercriminals are constantly seeking new ways to bypass security measures and fly under the radar. The recent rise of attacks on website 404 error pages is indicative of this trend.

When a user encounters a 404 error page, it often means that the requested page or resource does not exist or has been moved (leaving the original link broken). While this might seem like an unlikely place for an attack, it provides several advantages to hackers:

Lower Visibility

We’ve all encountered these error pages, right? Most users dismiss them as a minor inconvenience and continue browsing. This means the malicious script can run undetected for longer periods.

Reduced Monitoring

404 pages may not receive the same level of scrutiny as payment or checkout pages, making them a tempting target for attackers.

Stealthy Execution

The script can be injected into the error page’s code without raising immediate suspicion. Hackers can often gain easy access to 404 pages as they are more vulnerable due to being less frequently monitored.

The implications of card skimming attacks on 404 pages are alarming:

Data Breaches

Attackers can collect sensitive information from users who believe they’ve simply landing on a 404 page, leading to data breaches that can result in financial losses and identity theft.

Erosion of Trust

Such attacks erode users’ trust in online platforms, as they can’t be certain about the safety of their data even on seemingly benign pages.

Reputation Damage

Website owners can suffer significant reputational damage, especially if the attack goes undetected for an extended period, impacting user confidence in their platform.

Legal Consequences

In many jurisdictions, data breaches carry significant legal consequences. Website owners could face lawsuits, penalties, or regulatory actions if they fail to protect their users’ data.

Protecting Your Website

Given the rise of card skimming attacks on 404 pages, it’s crucial for website administrators to take proactive steps to safeguard their platforms and users. Here are some best practices to consider:

Regular Audits

Conduct regular security audits of your website, including 404 pages, to identify vulnerabilities and unauthorized code.

Content Security Policy (CSP)

Implement a CSP to control which external resources can be loaded and executed on your site. This can help prevent unauthorized scripts from running.

Regularly Monitor Traffic

Keep a close eye on website traffic, especially on error pages. Unusual patterns or unexpected data transfers may indicate an attack.

Keep Software Updated

Ensure that all software, including content management systems and plugins, are up to date to minimize vulnerabilities.

Security Scanning Tools

Use automated security scanning tools to identify and eliminate malicious code on your website.

User Education

Educate your users about online security, advising them to be cautious even when encountering a 404 error page.

Data Encryption

Implement robust encryption mechanisms to protect sensitive data in transit and at rest.

The recent rise of card skimming attacks on website 404 pages underscores the relentless creativity and adaptability of cybercriminals. They are exploiting the vulnerabilities in seemingly harmless error pages to steal sensitive information from unsuspecting users. Website administrators and owners must remain vigilant, regularly update their security measures, and educate their users to mitigate these risks. In an era where online trust is paramount, protecting your website and your users from card skimming attacks is not just a matter of cybersecurity but also one of maintaining reputation and trust.

Related Articles


Credit Card Processing 101: Everything You Need To Know

According to various financial industry surveys and studies, approximately 80% of American consumers prefer card payments over cash, and only 10% of consumers continue to make all of their purchases with cash. Additionally, the Federal Reserve Board says debit, credit or gift cards now makes up two-thirds of all payments not made by cash. In short, if you’re not taking

Read More »

5 Reasons Why Your Business Needs To Accept Mobile Payments If It Isn’t Already

Mobile payments via digital wallets were already becoming more prevalent as consumers became increasingly comfortable with the technology and as more merchants offered terminals that accept mobile payments from devices at the point of sale. In a post-pandemic world, contactless payments are even more appreciated. Now, 67% of shoppers want self-checkout options from mobile devices.  Beyond avoiding germs, mobile payments provide businesses

Read More »

How to Select The Best Payment Processor For ISOs and Agents

When it comes to payment processors, there is an array of options to pick from. As a result, finding the right one to do business with can be challenging. Ensure you understand how each processor, and their respective products and services, operate. Finding the right payment processor will be crucial to the success of your business and should serve as

Read More »

Digital Payments Are Now Critical To The Success of Restaurants

Back in April of 2020, during the early days of the pandemic, a study in the U.S. revealed that 52% of consumers said they would stick to their new digital grocery shopping methods after the crisis ended.[1] As we close out 2021, trends toward safety, efficiency, and personal service show no signs of slowing down. Already we’ve seen both quick

Read More »

Fraud Protection in the E-Commerce World

Want to hear something scary? Analysts project that small and medium businesses will be hit with more than $130 billion in losses due to payment fraud over the next five years. Before the rise of the digital world, fraud could be committed by stealing someone’s identity, running schemes like money laundering or embezzlement of cash, producing counterfeit money, forgery, etc.

Read More »

Shielding Your Business from Chargebacks: Protecting Your Profits

It’s the nightmare of every business. You’ve put in the time and effort to create a product or solution, build your website, grow your customer base, and provide a seamless purchasing process… only to get hit with a chargeback. As the name suggests, a chargeback means that instead of a mutually-agreed upon refund, the business is charged back – usually

Read More »