• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Magento Credit Card Swiper Exports to Image

October 17, 2016Ben MartinEspanolPortugues

FacebookTwitterSubscribe

Over the past year we have seen a rash of credit card swipers in Magento and other ecommerce-based websites. In fact, we have been finding new variants nearly every week. It is no surprise that ecommerce sites are lucrative for attackers. Although attackers have many ways of making money by hacking websites (such as with malware distribution and SEO spam) stealing credit cards is one of the most notorious.

It is common knowledge that there can be risks associated with shopping online. Identity and credit card theft continue to cause concern among would-be shoppers. If a website takes credit card payments and is not PCI compliant there can be fines and other repercussions when customers are impacted by hacks like these.

Typically the malicious code will grab credit card numbers or login details and send them to the attacker’s email address or dump them into a file. In this case, however, there was an interesting twist.

Scanning Magento for Swipers

Our initial scans came up clean which meant we needed to investigate further. With Magento sites there are a few common themes when it comes to cleaning and removing credit card swipers. I decided to check the following Magento core file:

app/code/core/Mage/Payment/Model/Method/Cc.php

This is a very common location for attackers to place swiper code on Magento sites:

app/code/core/Mage/Payment/Model/Method/Cc.php
The Cc.php file is often infected with swiper code

Would you look at that! The file had been modified recently compared to the rest of the files in that directory. The last modified date and time stamp can prove quite useful for narrowing down infected files.

In this case, the file did just as we expected.

Credit Card Details in Image Files

Taking a look inside Cc.php I found the malicious code that dumps stolen details into an image file.

Stolen credentials are stored inside an image file

This is not out of the ordinary. It is actually characteristic of a lot of the credit card swipers we have seen lately.

Attackers use image files as an obfuscation technique to hide stolen details from the website owner. The image file usually doesn’t contain a real image, however, no one really suspects an image file to contain malware. This gives the attacker a secret place to store data. If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack.

What we found to be very peculiar in this case is that the image itself actually worked:

The image that contained stolen credentials
The image that contained stolen Magento customer credentials

It looks like a regular image from the website!

Legitimate Image

The most interesting fact is that this image was related to products sold on the victim website. Most website owners would be none the wiser if they came across this image and opened it to make sure it worked.

Very often when trying to view the images that contain stolen cards you would receive an error response such as:

There was an error displaying this image

Even checking the source of the image nothing seemed out of the ordinary at first:

Image source data
Looks similar to a typical image source code

This matches what a typical image looks like when viewing its source in a text editor. The jumbled mass of code is translated by image-viewing programs to show you a pretty picture. The source code behind the image appears overwhelming and cryptic.

In this case, I had to look closer in order to see what the attacker had done with the stolen credentials.

Below all of the legitimate image source code is a long list of stolen credit card numbers:

Credit card numbers below the image data (censored)

We blurred out the content to protect the innocent but you can see the first four numbers of each credit card number that has been stolen.

Most people impacted by this Magento credit card swiper were from the United States, but some were from overseas in Japan, Turkey, and Saudi Arabia (even a few near me in Vancouver, BC).

To obtain the stolen numbers the attacker would not even have to maintain access to the site. The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.

Of course, we deleted the entire contents so that nobody would be able to download it going forward.

Protect Your Site

Keep your Magento website up to date and apply all the latest patches!

If you are uncertain how to update, you can protect your website with our Sucuri Firewall. Also, make sure your administration panel uses a long, complex password that is difficult to guess or brute force. You should also spend some time becoming familiar with our series of PCI compliance posts.

FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento SecurityTags: Obfuscation, PCI Compliance

About Ben Martin

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions

Comments

  1. Sean Owens

    October 18, 2016

    Its also important to note that some hacks preserve the file modification date, so changed files cannot be easily found.

    • rngdmstr

      October 19, 2016

      Yes that is correct. Time stamps can be easily modified so you can’t
      always trust that, however in many, many cases we work with the
      attackers are lazy and don’t even bother to conceal that. It’s important
      to have file integrity monitoring in place in order to keep track of
      modifications.

      • qdPM Project Management

        November 7, 2016

        You can always check the ctime rather than the mtime.

        A simple cron is

        find /home/XXXXXXXX/public_html -type f -cmin -30 -exec ls -ls {} ; | mail -E -s “File Changes in Last 30 Minutes” myemail@domain.com

  2. Henrique Vianna

    October 18, 2016

    In fact, steganalysis techniques and metadata analysis can identify changes in that image

    • rngdmstr

      October 19, 2016

      Yes, that is true! In this case no such analysis was needed, though. Just found the reference to the image in the Magento core file, downloaded the image, viewed its source using vim and scrolled to the bottom of its contents.

      • qdPM Project Management

        November 7, 2016

        I guess what we are saying is this needs something stronger than happenstance to protect sites from this emerging issue.

    • qdPM Project Management

      November 7, 2016

      That is good to know but is there any php based tool that will do that?
      We run cron jobs to detect all types of files changes but this is not something we have a tool for.

      • Henrique Vianna

        November 21, 2016

        Unfortunately, not that i’m aware (for steganalysis). You will need to implement the code, that basically is math… you can search for some algorithms the help your understanding:

        -blindHide
        -HideSeek
        -FilterFirst
        -BattleSteg

        Some Filter like:

        -Laplace
        -Sobel
        -Prewitt

        Some Analysis:

        -RS Analysis
        -Sample Pairs
        -Laplace
        -LSB Enhancement
        – RGB atack

        Etc..

  3. qdPM Project Management

    October 27, 2016

    So is there any tool that would check all images in a folder to detect if they had been modified? Would the metadata a different file size to the actual file size for instance?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.